1 40

CCI Magazine_April/May_2024

Introducing...CCI Magazine: a digest for today's GRC professional. It's your HQ for GRC happenings, headlines and "heard on the street." Enjoy this complimentary copy!

APRIL/MAY 2024

A Digest for Today’s Governance, Risk & Compliance Professional

Why a risk-focused ethics and compliance program is the new normal Sea Change News Corp’s new CCO talks about managing upheaval Full Steam Ahead Building a better program from Day One About Risk ... +

Plus compliance industry news and events

VOLUME 1, ISSUE 2

CCI MEDIA GROUP PUBLISHER Sarah Hadden CCI MEDIA GROUP EDITORIAL DIRECTOR Jennifer L. Gaskin GUEST EDITOR Ty Francis CONTRIBUTORS: Jim DeLoach (Protiviti), Cameron Zayne (NeuroLeadership Institute), Dominic Ashley-Timms (Notion), Sophie Williams

CCI supports the important work of compliance professionals by providing a platform to those who speak and write with courage and authority. We publish original articles, including guest posts, industry whitepapers, podcasts, videos and eBooks. Columnists and contributing writers are subject matter experts and thought leaders who provide insight, opinion and tactical guidance on topics relating to compliance, risk, internal audit and information security. Our readership also includes boards of directors, HR and the C-suite. Our online audience is global, and

readership includes seasoned professionals as well as those who are new to a career in compliance. If you’re visiting CCI for the first time, subscribe to get top GRC news in your inbox once a week. If you’re interested in writing for CCI or sharing content, here’s how to do that. If you’re sharing GRC industry news regarding products, services, job openings or events, here are ways to connect with CCI’s audience. Suggestions, queries and feedback of any kind? Drop us a line.

CCI Media Group is an independent news organization with a mission to educate and encourage informed interaction within the global GRC community. Founded in 2010, Corporate Compliance Insights.com is the company’s flagship enterprise, a global online news source and knowledge-sharing forum. CCI Media Group is the parent company of CCI Press and publisher of CCI Magazine.

High-performing E&C programs are 2.1x more likely to leverage diverse data sources. Gain actionable insights with Catalyst Reveal.

Request a demo at LRN.com

@2024 LRN. All rights reserved. All brand, product, service names, and logos are trademarks and/or registered trademarks of their respective manufacturers and companies.

For more of LRN's insights, please visit LRN.com.

from the publisher Small Is the New Big W e’re noting a trend toward tiny compliance meetup events — and we’re totally here for it. Big compliance conferences have their place — and we’re packing our bags for a few right now — but it’s hard to ignore the obvious charms of a laid-back, intimate, semi-impromptu local meetup. And from what I’m hearing, the appeal is spreading. Just this week, I heard from three people seeking planning advice and publicity help for cozy local gatherings. We’re talking groups of a dozen compliance folks, maybe a few more. Their plans included meetups at local coffee shops, watering holes or restaurants with nothing on the agenda besides compliance camaraderie, authentic connections and real-time relationship-building (zero sales pitches and no cringe-y icebreakers). Is this right-sizing trend a collective sigh of relief in a post-Covid world where we crave the warmth of real, un-Zoomed faces? Maybe it’s a reflection of tight T&E budgets that make cross-country (or cross-continent) jaunts to conferences hard to justify. Or maybe it’s a subconscious yearning for authenticity in an age where artificial intelligence seems to loom over every human interaction, threatening to make the genuine feel quaint. Whatever the why , the phenomenon itself is worthy of a toast (with artisanal coffee or craft cocktails, take your pick), and so is the new buzzword associated with these small group gatherings: community-building . Forget “networking” and the dreary affairs the term evokes. If you’d like to attend a small-scale event in your area, why not start one? Take the plunge, plant your flag and host one. And let CCI help tell the story of what you’re creating. We don’t only want to report on these gatherings; we hope to spark them, support them and — when we can — sip something in solidarity. Interested? If you’ve got something local in the works, add it to CCI’s event calendar to help spread the word . We raise a toast to the compliance community, a group that’s proving, one small gathering at a time, that maybe, just maybe, we can find that elusive “real” in a world that feels increasingly virtual. May your conversations be lively, your connections meaningful and your community spirit unbreakable. Cheers to building something together, something sparkly and magical — something decidedly human. Sarah Hadden Publisher, CCI Magazine & CCI Media Group

Welcome

corporatecomplianceinsights.com | 3

CONTENTS

13

6-7 Seen & Heard What’s happening around our industry, and what’s coming up?

9-11 Starting Fresh A strong ethics and compliance function cuts a path toward success. Ty Francis, guest editor

Risk Factors COVER STORY Increasingly, a good ethics and compliance program is as much about risk as anything else. Ty Francis, guest editor

4 | April/May 2024

In this issue

CCI Magazine

21-24 Churning Along

Q&A with Imogen Haddon, the new chief compliance officer at News Corp.

What else is in this issue? Keep up with compliance career news in Movers & Shakers (36-37) . Do you know the 10 biggest FCPA enforcement actions in history (20) ? Speaking of the FCPA, mark your calendars because CCI Press has an exciting announcement (39) . 1, 14-15: Luis Moreno Martinez, for CCI Magazine; 9: Mikael Stenberg via Unsplash; 10-11: Simon Annable via Shutterstock; 13: Angus Gray via Unsplash; 16: Graphic by Jennifer L. Gaskin, CCI, with LRN data; 21: Marius Fiskum via Unsplash; 26: Cris Ovalle via Unsplash; 31: Shutterstock; 28: Wilhelm Gunkel via Unsplash

26-29 Forward Momentum

31-35 On the Job

From the CCI archives: Cameron Zayne shares insights about gender diversity; Dominic Ashley-Timms talks about what’s broken in management (and how to fix it); and Sophie Williams warns about an emerging risk for women in leadership: the glass cliff.

Those in software development are well-acquainted with the term “agile,” but as Jim DeLoach explores, agility is also a key component to a truly useful risk strategy.

In this issue

corporatecomplianceinsights.com | 5

Compliance industry, media and influencer news compiled by the staff of CCI Magazine

Media movers: Compliance Week ’s Kyle Brasseur has announced his resignation as editor in chief, a position he has held since October 2021. Brasseur joined Compliance Week as digital editor in 2018 and later served as managing editor. Compliance Week’s managing director Daniel Gorringe told CCI, “The quality and quantity of news coverage has grown significantly under Kyle’s leadership. ... I know I speak not just on behalf of the company and the team at Compliance Week but also our customers and our esteemed advisory board when I say that his contribution has been huge, and he will be greatly missed.” Brasseur said he plans to remain at his post long enough to support the transition to a new editor, as yet unnamed. Brasseur told CCI, “I’m grateful for the opportunities Compliance Week has given me and look forward to applying everything I learned to a new career path. I’d like to thank the compliance community for all their support over the years and look forward to taking time away from the corporate world to learn more about myself and my next journey.” Show us your shelves. Read any good books lately? Compliance officers are a particularly well-read group, so we’re always happy to share book recommendations for titles that help you do your job (or help you keep your sanity). This month we’re featuring a stack from Vera Cherepanova (Studio Etica), seen at right. Send us yours! Awards season is upon us. International Compliance Association recently shared its finalists across several categories, including nominees for Compliance Influencer of the Year : Alexander Culley (C&G Regulatory Solutions), Anila Haleem (UK Finance), Anu Ratan (BNY Mellon), Arun Chuhan (Tenet), Baptiste Forestier (Money Laundering Techniques newsletter and “The Laundromat” podcast), Bettina Palazzo

PHOTO COURTESY VERA CHEREPANOVA

(Palazzo Ethics Advisory), Ches Trower (Ogier), Christian Hunt (Human Risk), Mitch Trehan (Allica Bank), Nicolas Urien (DOJO Consulting Group), Vera Cherepanova (Studio Etica) and William Bolivar (KYC Lookup). Compliance Week has announced the short list for its annual Excellence in Compliance Awards , including the CCO/CECO of the Year. Those finalists include Denise Bohnert (Amedisys), Forrest Deegan (Victoria’s Secret), Gina Nese (Align Technology), Janine Smith (The J.M. Smucker Co.) and Kimberly White (Ingredion). Separately, Rethink Compliance founder and CEO Kirsten Liston has been named a Colorado Titan 100 for 2024. The award recognizes leaders who have built a reputation in their field and who are “changing the way that business is done in Colorado.” Liston’s trophy shelf is getting crowded, as this recent honor joins awards for the Inc. 5000 fastest-growing private companies in America (2021, 2022 and 2023), International E-Learning Award (2023) and a 2023 Women2Watch award from Women Presidents Organization. A boatload of downloads: Janet Johnson , founder of Artificial Intelligence Governance

6 | April/May 2024

Seen & Heard

CCI Magazine

Group (AiGg) was recently a presenter at GRC World Forums’ Risk Digital virtual event and made mention of free downloadable resources for compliance and risk pros . Describing them as “essential materials to jumpstart the organization’s journey into AI,” the downloads include AI policy templates and an AI readiness self-assessment. And speaking of AI, Paul H. Zietsman (SAP) shared with us that he recently was intrigued by the notion that a concise, three-page code of conduct could have as much (or more) impact on employee behavior than a 30-pager. He put AI to the test, challenging it to condense lengthy codes of conduct from three well-known international companies. Zietsman is eager to share the results and is seeking feedback for the next phase of his project. Take a look . Crowdsourcing powerhouse

podcasts: If you’re a fan of the usual compliance, risk and security podcasts, here’s your chance to cast a wider net. Let us introduce you to “ Lesley’s List. ” Courtesy Lesley Heizman (Lucidworks) It’s a plain-and-simple Google doc where she and a dozen or so folks in the compliance and security space have started compiling a list of must-listen programs. Got one to add? Join a crew of contributors here . Late-breaking meetup news: Miami in May. CCI is fanning the flames of the compliance meetup movement by sponsoring the inaugural meeting of the freshly minted “Miami Compliance Meetup.” If you’re in the Miami area May 16, join other compliance folks for beverages and conversation from 5-7 p.m. at Pisco y Nazca in Coral Gables. RSVP on LinkedIn by connecting with and replying to organizer Juliana Molina

(FGV Direito Rio). Confessions of a compliance officer. This just-for-fun video created by Ellen M. Hunt (Spark Compliance Consulting), with inspiration from Asha Palmer (Skillsoft), will make you laugh or cry — or both. This would probably be a good time to compose a disclaimer of some sort indicating the views expressed herein are not necessarily those of — oh whatever . Enjoy the video.

Watch online

We do a lot of things for love. Publishing CCI isn’t one of them. Advertising keeps the lights on and pays our small-but-mighty-team of journalists, researchers, developers and designers. We’re neither owned nor controlled by a corporation or vendor, and we don’t generate leads for ourselves because we’re not a consultancy or service provider. This keeps our coverage neutral and independent. And free! Subscriptions and paywalls aren’t part of our business model. Sneaky, deceptive “native” advertising isn’t,

either. When we have an advertising relationship with a content contributor, we disclose it. If we invite you to click on a link that would provide us with a commission, we disclose it. If we suggest you download a report and we’re planning to share your email address with a third- party, we disclose it — and we secure your permission. Our data privacy and data governance standards are impeccable, because we work in compliance , yeah? Read our privacy policy to learn more.

Have a tip to share? Got the inside scoop on the next big trend in the compliance world? Share the details of your compliance industry news or events by emailing editor@corporatecomplianceinsights.com.

Seen & Heard

corporatecomplianceinsights.com | 7

guest editor’s note Rocking the Boat Ty Francis Guest Editor, chief advisory officer, LRN W

elcome to the second edition of CCI Magazine. It’s a thrill to be able to guest edit this issue, and I sincerely hope you enjoy reading it as much as I’ve enjoyed guiding this coverage.

Channeling my teenage years of the 1980s, I asked if this month’s issue could be blended with an ’80s music theme but was told it had to be about compliance and ethics, which I guess is fair. But you could say that today’s compliance officer, much like The Reflex, can be a lonely child, waiting by the park, and also like The Reflex, compliance and ethics officers are in charge of finding treasure in the dark. The treasure we speak of is in the form of data and analytics. It’s becoming more prevalent and crucial to everything we do, with many saying it’s the new gold. I don’t think I’ve had a conversation over the past year, whether it be about sanctions, AI, third-party due diligence, training or culture measurement, without being drawn into a deep-diving conversation about what data and analytics can do to improve the way we approach compliance effectiveness. And let us not forget, the DOJ’s revised guidance emphasizes using compliance metrics and data to verify the effectiveness of a compliance program. And this month’s issue certainly covers the topic: global trends in ethics and compliance programs, including how they’re increasingly about risk; the top 10 most eye-watering fines for FCPA violations; why a compliance and ethics program should be a necessity for startups; and so much more. It’s all you ever wanted, and all you ever needed, and it’s here in this issue. — Ty Francis

8 | April/May 2024

Guest editor's welcome

CCI Magazine

Full Steam Ahead Investing in compliance for sustainable growth OPINION

Ty Francis Guest Editor

corporatecomplianceinsights.com | 9

Startups and small companies are in an enviable position: They can launch their ethics and compliance programs the right way. M ost of us who are reading this will be in the compliance and ethics business compliance programs helps young companies navigate intricate 33% of respondents said they reinforced their risk controls in the areas of sanctions and trade controls — down from 45% in our 2023 results — despite the ongoing

legal and regulatory frameworks, shielding businesses from potential pitfalls, safeguarding their reputation and promoting an ethos of ethics and compliance. Equally important but building on a basic E&C program is a solid third-party risk program. LRN’s most recent program effectiveness report showed a renewed interest and focus on risk identification, management and mitigation, illustrating another key characteristic of effective E&C programs. Interest alone doesn’t equal risk mitigation Even with an increased focus on the global risk landscape, only

— many from large publicly traded companies; others will be running compliance operations in smaller, private companies. Some will have just jumped the gap between private and public and are preparing for their new public life, and some will have just started their compliance journey. But very few will be in a compliance function at a startup. I wrote last year about how I believe that many startups overlook traditional ethics and compliance, viewing them as cumbersome burdens suited for more established entities. But implementing foundational

wars in Ukraine and the Middle East and enhanced government sanctions on China, Russia, Iran and other countries. So, what example are we, the established E&C programs, setting for our new, fresh startup and IPO market? Are we stuck in the compliance functions of the 2000s or can we rise to the challenge of embracing data and analytics? Our research shows that top-ranked programs go beyond the basics, are accessible to employees and prioritize enhancements to meet new and emerging global risks. For instance, top-performing

10 | April/May 2024

Full Steam Ahead

CCI Magazine

measuring tools now. Startups, for their part, can initiate these risk assessments, pinpointing potential compliance tripwires specific to their niche. The Theranos debacle underscores the gravity of due diligence in startups. Elizabeth Holmes’s biotech startup, hailed for its innovative blood-testing technology, crumbled under the weight of unmet promises and misrepresentations; Holmes is now in prison. Boards that benefit from clearer, more timely information also benefit from being able to predict risk. Stakeholders, now more than ever, should exercise meticulous scrutiny, particularly when revolutionary technologies are on the table. And for VCs, the playbook should involve deeper dives into the startups they invest in. Being advocates for strong ethics and compliance programs, better risk mitigation and more stringent third-party due diligence can only help protect reputations and ensure these companies grow into world leaders.

understands the values and ethical behaviors expected of them, while affording the compliance team the ability to audit vendor performance. Smaller, fast-growing companies have the perfect opportunity to embed new technology to allow them to start with the right foot first and grow into these best practices, scaling as they scale. Smaller organizations can benefit by benchmarking how their E&C program compares to best practices across certain dimensions. Those same benchmarking tools can also compare an E&C program to peer companies. All these endeavors can help enable insightful and fact-based decisions to continuously advance a company’s values-based culture. Beyond risk mitigation, it can also serve to communicate with the board more effectively when reporting on performance or requesting more resources. But we need to start implementing these foundational

programs are more than twice as likely to leverage data from a variety of sources to guide E&C program focus and development as part of ongoing evaluation, including risk analysis, misconduct trends and patterns, root cause analysis data, ethical culture surveys, training content retention, benchmarking and much more (on average, 56% compared to 26% of low-performing programs). Begin at the beginning Where do we start? Well, we start by evaluating where we are now. Evaluating the maturity of our programs shouldn’t be a burden. Identifying main risks should be done periodically, but still many companies rely on a snapshot in time and so fail to focus on emerging risks. We always recommend an organization update its current supplier compliance training process into a digital, more scalable solution for training and reporting. Any solution should ensure an organization’s vendor community

By Ty Francis

corporatecomplianceinsights.com | 11

Smart Code

79 % of E&C programs are prioritizing web-based investments.

Increase the impact of your code of conduct. Smart Code transforms your code into an interactive and searchable microsite that leverages the latest best practices in user experience design and analytics.

• Increase accessibility and awareness • Unlock new insights into program effectiveness • Leverage decades of code expertise

Request your demo at LRN.com

@2024 LRN. All rights reserved. All brand, product, service names, and logos are trademarks and/or registered trademarks of their respective manufacturers and companies.

For more of LRN's insights, please visit LRN.com.

Cover story

corporatecomplianceinsights.com | 13

Globally, ethics and compliance professionals are increasingly signaling that risk-related tasks are climbing up their priority lists. As risk pulls attention — especially emerging issues like AI — what does it even mean to have an effective ethics and compliance program today?

Ty Francis Guest Editor

14 | April/May 2024

Cover story

CCI Magazine

E thical culture is not static. Over time, organizations’ priorities inevitably shift in response to changes in the economic, geopolitical, regulatory and market environment and according to the specific dynamics of the organization itself. Ethics and compliance programs must adapt accordingly. While it’s important not to take a one-size-fits-all approach to ethics and compliance, there is nonetheless plenty to be learned from what others are doing and what they are concentrating on. Identifying developing trends and best practices can be extremely instructive as a reference point for E&C professionals as well

continues. A global convergence on E&C standards is becoming evident. And issues like the impact of artificial intelligence (AI) and ongoing hybrid working models are all firmly on the radar. Here, we look at what’s driving these developments and their significance. Risk mitigation is ramping up Managing risk has taken on new importance around the world in the past 12 months. Global E&C professionals ranked risk mitigation and risk analysis as their top priorities for program

as boards, senior executive leadership, and middle and lower management. That’s why for the past decade, LRN has been surveying thousands of E&C professionals at organizations worldwide with a view to gaining valuable insights into what makes an E&C program effective and how they are evolving to meet needs in a rapidly changing world. Our findings this year shine a powerful spotlight on exactly where attention is being focused. Risk mitigation is seeing renewed emphasis. Incentivization and accountability are taking center stage. Reliance on values

rather than rules as the key motivator of ethical behavior

RISK continued on Page 17

Cover story

corporatecomplianceinsights.com | 15

data insights Ethics & compliance program e ff ectiveness LRN’s 10th annual report on program effectiveness covers traditional areas like regulatory compliance and emerging challenges like AI. Selected insights from the report are below, and the full report is available for download here .

Where person responsible for E&C program reports

E ff ort expended in various areas

Not much/none

A great deal

Some

Board of directors 33%

Complex government regulations that impact our business

36%

59%

6%

Information security challenges (including arti  cial intelligence)

CEO 36%

General counsel 24%

33%

57%

10%

Bribery and corruption

27%

53%

20%

Other 7%

Data protection

42%

50%

9%

Trade sanctions, anti-money laundering and export controls

28%

56%

16%

E&C function has ability to raise issues directly to board of directors

Sexual harassment in the workplace

30%

53%

18%

Human rights and anti-slavery compliance

89%

29%

53%

18%

Environment, social and governance requirements

33%

57%

11%

Percentage of E&C programs that focus on values and not just rules

100%

82%

77%

80%

84%

50%

60%

48%

40%

2016

2018

2019

2020

2022

2023

2024

2021

16 | April/May 2024

Cover story

CCI Magazine

of Corporate Compliance Programs ” asks, “Is the risk

RISK from Page 15

Managing the impact of AI and hybrid work Last year, E&C programs focused comparatively less of their activities on bribery and corruption and more on information security, including AI and data protection (see chart at left). This is likely to stem, at least in part, from recent regulatory moves around AI. U.S. regulators have made plenty of noise about regulating AI and Big Tech, but it is the European Union and the UK that are putting their money where their mouths are and launching decisive regulatory action. European regulators have recently blocked major M&A deals by the likes of Adobe (both) and Microsoft (in the UK), and the EU has lined up legislation to regulate AI in the form of its AI Act, due to come into force later this year. Another key issue taxing the brains of E&C professionals is how to manage programs in an era when hybrid and remote work remain commonplace. Almost three-quarters say they have made significant changes to their E&C programs to meet the needs of employees in the face of altered workforce models. This includes tailoring programs to be more relevant to individual employees and make it easier for them to comply, facilitating staff to access training remotely and offering shorter courses, as well as prioritizing data analytics so they can measure impact and continuously improve. — Ty Francis

improvement and said that risk analysis is the most useful factor for evaluating program impact. This matters because minimizing risk is the bedrock of any E&C program. And the global risk landscape is becoming more challenging all the time, as new threats emerge and existing ones alter in shape and scope. Indeed, about seven in 10 of our respondents indicated that they had faced new or unexpected compliance risks in the past 12 months. Compliance risks were brought into sharp focus last year, with prosecutions against cryptocurrency exchange Binance Holdings and its CEO and the conviction for fraud, money laundering and conspiracy of FTX founder Sam Bankman- Fried hitting the headlines. These cases highlight how broadly U.S. regulations apply to organizations worldwide — since neither company was U.S.-based — and the extent to which they drive the evolution of best practices in E&C. Small wonder, then, that today, our survey respondents are focusing most of their efforts on addressing the implications of complex government regulations that impact their business (94% have put effort into this) as shown in the chart on the previous page. The focus on risk must, of necessity, be an ongoing process, with changes to the risk landscape being monitored over time and E&C programs being brought up to date accordingly. As the U.S. Department of Justice’s most recent updates to its “ Evaluation

assessment limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?” Encouragingly, our research suggests most companies have their finger on the pulse. Many say they regularly analyze issues like regulatory requirements and expectations. Compliance risks are also at the top of board members’ E&C agendas. Not all risks are getting the same amount of attention, though. Despite the heightened focus on the global risk landscape, and the ongoing wars in Ukraine and the Middle East, plus enhanced sanctions on China, Russia, Iran and other countries, fewer than two in five survey respondents (38%) said they have bolstered their risk controls concerning sanctions and trade controls. That proportion has dropped from almost half (45%) who said so two years ago. Focusing on incentives and accountability E&C programs must both encourage ethical behaviors and prevent misconduct. Therefore, on the one hand, it’s reassuring to see that so many E&C professionals (more than three-quarters) indicated that their organization emphasizes values rather than rules to motivate ethical behavior, up 27 percentage points from when we first asked the question back in 2016. (This is not just a nice-to-have. It has real impact:

Cover story

corporatecomplianceinsights.com | 17

impact, medium-impact or low- impact based on their impact on ethical culture.) To make this work, the E&C function must have access to decision-makers at the highest level, and thankfully, the vast majority do. It’s vital that E&C professionals report directly to the C-suite and have the ear of the board. Importantly, nearly two-thirds of respondents indicated that their boards took an active role in ensuring that misconduct by senior executives or top performers was addressed within the past year. Setting the tone from the top is vital, and such decisive actions against wrongdoing clearly signals an organization’s intent to take

of those we surveyed say their organizations have incorporated ethical behavior into their performance systems, major hiring decisions, promotion and bonuses. Further, a similar proportion have policies that allow an individual’s bonuses, incentives and compensation to be clawed back in the event of misconduct. In organizations we have rated as having “high-impact” E&C programs, this rises to almost three-quarters, and more than half of these companies have actually disciplined a senior executive or terminated their employment for unethical behavior in the past year. Of those cases, most did deploy their clawback policies. (For the purpose of analysis, LRN categorizes E&C programs as high-

83% of our survey respondents said their ethical culture has gotten stronger in the past year.) On the other hand, effective E&C programs do need an element of “carrot and stick” to prompt ethical behavior. This was underlined by U.S. Deputy Attorney General Lisa Monaco , who has said, “Going forward, when prosecutors evaluate the strength of a company’s compliance program, they will consider whether its compensation systems reward compliance and impose financial sanctions on employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal conduct.” A good number (over 60%)

Bringing together the collective wisdom on ethics, compliance, corporate culture, and organizational development from business leaders around the world.

Season 11 available now!

For more of LRN's insights, please visit LRN.com.

18 | April/May 2024

Cover story

CCI Magazine

a robust approach to E&C and reinforces its values. Another challenge is how to incorporate ethics into the workplace and operationalize E&C into decision- making. While most senior leaders are seen to be “walking the walk” in terms of dealing with compliance risks by making difficult decisions that are consistent with company values and purpose, it seems that middle managers are finding that much harder to do. In fact, the gap between middle management and leadership is widening when looking at ethical decision-making involving trade- offs, with this year’s data having the largest differential between the two since we have been tracking this topic. Given the enhanced focus on personal accountability and organizational risk, and the fact that middle managers are such visible role models to colleagues, this is clearly an area that needs to be addressed. Global standards are converging Organizations with a global footprint must ensure E&C programs are applied consistently and appropriately across all their operations and that their values and standards are shared in all their locations. That requires investment of time and resources. Many are taking steps to scale their E&C functions wherever they do business, for instance by setting up regional committees, creating ambassadors or appointing compliance officers in countries where they have a significant presence.

“Going forward, when prosecutors evaluate the strength of a company’s compliance program, they will consider whether its compensation systems reward compliance and impose financial sanctions on employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal conduct.”

— Deputy Attorney General Lisa Monaco

other E&C programs, which can often provide a global as well as industry-specific context for an organization’s program design. By measuring performance against peers around the world, they can learn lessons from others, build on areas where they are excelling and continuously improve. What we are seeing today is a return to basics on the one hand with the renewed attention on risk and plenty of innovation on the other, as evidenced by attitudes toward incentivizing good behavior and disciplining misconduct and seeking to reach workers where they are to maximize impact. Inspiring the right values, holding people to account and strengthening global standards are all powerful dynamics in the drive to enhance the effectiveness of E&C programs worldwide as we look ahead. Many organizations are in a good position, but there’s no time even for those high performers to rest on their laurels: Good E&C programs constantly have to keep moving with the times.

Interestingly, as the global risk landscape becomes increasingly interconnected, with geopolitical, regulatory, technological and other common challenges affecting companies in all geographies, a convergence in E&C best practices around the world is becoming noticeable. E&C leaders largely agree on what the fundamental components of an E&C program are, including the need for policies, a code of conduct, training, regular audits, a clear tone at the top and support from the board of directors. Regional differences in how these foundational elements are implemented exist, as is to be expected, but in the main, there are no alternative models of what E&C programs should look like and no divergent ideas around what they are designed to do. This degree of harmonization suggests that ethical culture is now more widely embraced and that standards across the board are leveling up. It’s notable that high-performing programs are nearly three times as likely to benchmark against

Cover story

corporatecomplianceinsights.com | 19

Paying the Price: 10 Biggest FCPA Fines Fine: $25 million Year: 2015 Company: BHP Billiton Country: Australia Fine: $795 million Year: 2016 Company: VimpelCom Country: Netherlands 6 10

Fine: $1.1 billion Year: 2019 Company: Ericsson Country: Sweden Another Swedish telecoms

3

The multinational mining and metals company fell foul of the FCPA by sponsoring the attendance of foreign officials who could help it with its business endeavors or regulatory challenges at the 2008 Olympic Games. Fine: $123 million Year: 2021 Company: Deutsche Bank Country: Germany The bank was accused of making improper payments to foreign officials, their relatives and associates who were engaged as intermediaries and consultants to help them obtain business. Fine: $398 million Year: 2013 Company: Total Country: France Oil and gas company Total was charged with making illegal payments to an Iranian official who used his influence to help it win contracts to develop oil and gas fields in the country. Fine: $772 million Year: 2014 Company: Alstom Country: France Energy company Alstom pleaded guilty to a decade-plus-long scheme involving bribes made in countries around the world in connection with power, grid and transportation projects for state- owned entities. 7 8 9

Uzbekistan was the focus of attempts by a Dutch telecoms company to bribe its way to obtaining government-issued licenses, frequencies, channels and blocks of numbers. Fine: $1 billion Year: 2017 Company: Telia Country: Sweden Telecoms company Telia was accused of paying at least $330 million in bribes to win business in Uzbekistan via a shell company controlled by an influential Uzbek government official. Fine: $1 billion Year: 2022 The commodities giant admitted to allegations that it had made corrupt payments to foreign officials in multiple countries over a long period of time and to committing commodities price manipulation. Company: Glencore Country: Switzerland 5 4

company admitted to making tens of millions of dollars in improper payments over the space of 17 years across at least five countries to strengthen its position in the market. Fine: $1.8 billion Year: 2018 Company: Petrobras Country: Brazil The Brazilian energy company was investigated for violating the FCPA by facilitating hundreds of millions of dollars’ worth of bribes to politicians and political parties in Brazil. “The hefty … criminal penalty should act as a deterrent to anyone seeking to perpetrate this kind of fraud in the future,” FBI Assistant Director Robert Johnson said. Fine: $3 billion Year: 2020 Company: Goldman Sachs Country: U.S. The investment bank was charged after former senior employees were said to have bribed high-ranking government officials in Malaysia and Abu Dhabi to secure high- value business from a Malaysian government-owned investment fund. One of Goldman’s managing directors was personally charged for his role and is now permanently barred from the securities industry. 1 2

What many of these cases have in common is a lack of robust internal controls and a failure of ethical company culture. As Don Fort, chief of the IRS’ criminal investigation unit put it in the Ericsson case , “Implementing strong compliance systems and internal controls are basic principles that international companies must follow to steer clear of illegal activity. … Shortcomings in these areas made it easier for … executives and employees to pay bribes and falsify … books and records.”

20 | April/May 2024

Top 10 list by LRN

CCI Magazine

A conversation with News Corp’s new CCO about culture, communication & compliance

Q&A: Ty Francis + Imogen Haddon

corporatecomplianceinsights.com | 21

I mogen Haddon is no stranger to change. She launched her legal career in 2001, becoming a UK-qualified attorney as the post-9/11 era began. She was named the first chief compliance officer of News International (now News UK) just a few months

Ty Francis: Before we talk about the report, I do want to talk a little bit about your experience at one of the largest media organizations in the world. But I’m equally fascinated about your prior career and how that must have given you an enormous amount of insight into how you do your job now. Imogen Haddon: I started out way back as a mergers and acquisitions lawyer. It was around September 2001 when I qualified, but I always actually aspired to be a journalist, especially as I looked at the work that journalists were doing at that pivotal time in history and saw that as being such an important vocation. So, I went to journalism school, did some work experience at The Guardian and realized I didn’t want to go back, in terms of career progression, to being a junior reporter. Luckily enough, I got the opportunity to be a media lawyer at The Independent, and I found that was a fantastic way of marrying my skills with my passion at the time for journalism. I did that for about four years, and working with all those journalists day after day really gave me a greater understanding of how their minds

into a chaotic period in the UK media landscape as News of the World was forced to close following a hacking scandal and a public inquiry into press culture and ethics got underway. And in fall 2023, Haddon became CCO of News Corp, parent company of News UK and The Wall Street Journal, among other publications, not long before that

HADDON

company, too, experienced a massive change when founder Rupert Murdoch announced plans to hand the reins of News Corp and sister company Fox to his son Lachlan — not to mention a post-Covid workplace reality, intense renewed conflict in the Middle East, the ongoing war in Ukraine and new money-laundering rules in the UK. But navigating choppy waters is nothing new for Haddon, who made the leap from law to journalism — and then back again — before becoming News Corp’s CCO last fall. In that role and her previous one with News UK, Haddon’s focus has a strong connection to her journalism roots. Communication, she says, is the key to compliance. In the following Q&A, lightly edited for length and clarity, guest editor Ty Francis of LRN explores Haddon’s career path and looks ahead to the future (and present) of ethics and compliance programs.

“[V]alues need to remain simple, and they’ve got to really align with the culture of your company, otherwise you’re just not going to land that message. So, we were able to intertwine what a journalist is, and what News Corp itself is, trying to encapsulate in its essence, and used that for compliance and ethics messaging that people remember.” — Imogen Haddon News Corp chief compliance officer

22 | April/May 2024

Q&A: Ty Francis + Imogen Haddon

CCI Magazine

and used that for compliance and ethics messaging that people remember. TF: That’s a heck of a back story, and I picked up a couple of very interesting themes, one of which is that compliance is everyone’s job. I’ve always said that this should be on posters and billboards. You mentioned values, and in our report, 81% of organizations emphasized that they were moving from rules- based programs to more values- based programs, which motivate employees to take the right course of action when faced with ethical challenges. How does News Corp use values to create a more unified company? I mean, is this a blanket statement from the C-suite or something you’re cascading through senior management or middle management? IH: I think ultimately compliance is all about communication, isn’t it? Which leads me to another point of your report that I thought was interesting for us and aligns with a major priority that we’ve had over the past year. That is, your focus on tone from the top but more importantly, the gap between them and their managers. And you had some brilliant statistics on that. Most employees hope that the people at the very top are doing what they should be doing, but there’s still a massive gap between them and the managers who people see every day on the front line. It’s often those managers who are the most effective communicators of your compliance program, but they’re not quite there yet on knowing what they need to do.

worked. After those four years, the editor of the paper asked me if I wanted to be managing editor, which I would compare to being the chief operating officer of a paper. You’re running the logistics of the staff; you’re thinking about the editorial content and basically trying to keep the costs under control as well. It’s a tricky kind of balance. I was in that role for five years. During this time, around 2011, the industry was going through some turbulence, with the advent of the Leveson inquiry [into the ethics and culture of the UK press] , and the closure of the News of the World. It was a trying time for the press industry, which was under a lot of scrutiny (and rightly so) from the public, readers, advertisers and regulators. Shortly after that, in the autumn of 2011, I was invited to be News International’s first chief compliance officer. It combined the legal work that I’d done — all the regulatory scrutiny we had navigated, while at the same time the industry was discussing the formation of IPSO , the press regulator, so this new role was a great opportunity to put into practice all that experience I had gathered. In March 2012, I joined News International (now News UK) and in 2015 transferred to work in the compliance team of its global parent company, News Corp. I was always thinking about the personalities alongside the values of the organization to really understand what makes those people tick. That leads me to our values at News Corp: free inquiry, freedom

of speech and free expression. Working with my compliance team, one of whom had over 20 years’ experience running compliance training at global financial institutions, we really worked hard to codify the culture of our company and incorporate that culture into our latest standards of business training. We proudly say we stand for fairness and respect, so be inclusive and respectful; we inform the world, so be informed — know your policies and ensure you do your training. We hold the powerful to account. That’s one of the major things that all our editorial titles and broadcasters, including The Times, The Sun and the Wall Street Journal, do every day, and it is one of the key pillars of the latest DOJ guidance on the evaluation of corporate compliance programs . And then, lastly, we’re curious. That’s the essence of journalists, isn’t it? They’re always curious, wanting to find out more information. But not just asking questions; it’s having a culture where you’re prepared to ask the right questions. We stand for free inquiry, free speech and free expression. That’s our speak-up culture. And kudos to your report; it’s great how you talk about values and how instrumental values are to creating an effective program. But, at the same time, values need to remain simple, and they’ve got to really align with the culture of your company, otherwise you’re just not going to land that message. So, we were able to intertwine what a journalist is, and what News Corp itself is, trying to encapsulate in its essence,

Q&A: Ty Francis + Imogen Haddon

corporatecomplianceinsights.com | 23

At News Corp, we identified this as a gap in our program, also from having read the evaluation of corporate compliance programs, which you also highlight in your report. So, over the past year, we’ve devised an entire toolkit for managers about what compliance means for them. It’s really three short micro-learnings, because we know that short is the way forward now. The first one is, “What does compliance mean for managers?” The second one is, “How do you drive a culture of compliance amongst your team?” and the third is, “What is a manager’s role when someone speaks up?” Ultimately, what does compliance mean for managers? We think it’s to lead by example. Walk the walk, read the policies, do the training. I mean, these sound obvious, but they’re not obvious because in some of the major incidents that I’ve seen, it’s the managers who, if they knew exactly what their roles and responsibilities were, would be better placed to ensure that those issues wouldn’t have occurred in the first place. And again, it goes back to accountability, doesn’t it? Everybody taking ownership of compliance rather than the compliance function trying to do everything, which inevitably it can’t be expected to do. I think first and foremost, what is key here, and you really stress in your report as well, is that risk management perspective. Know the risks in the area that you manage. Involve your team in identifying those risks, understand

the compliance controls that mitigate those risks and identify, learn and summarize relevant policies and processes. It’s almost like an ongoing risk assessment all the time that has to be done at that manager level. TF: Was there anything in the report that surprised you? IH: I think surprise might not be the word. I genuinely wasn’t surprised by anything, but the one area of the report, which is probably the hardest thing to do — but I don’t know whether I’ve ever seen the panacea of an answer that gets us close — is, how do you measure the effectiveness of “I don’t know whether I’ve ever seen the panacea of an answer that gets us close ... [to] how do you measure the effectiveness of your program? We’ve all been around this question many, many times.” — Imogen Haddon News Corp chief compliance officer

24 | April/May 2024

Q&A: Ty Francis + Imogen Haddon

CCI Magazine

your program? We’ve all been around this question many, many times. The report clearly identifies this: You can measure activity, but effectiveness is hard to measure. I guess the ultimate piece of data that gives you the answer to that is how many compliance disasters have you had in the past year? There are so many external factors that make measuring effectiveness problematic. But we have tried, and you talk about this in the report, to come up with data points that do try to go to that effectiveness point rather than the activity. We look at key effectiveness indicators vs. KPIs and we present those every year to the audit committee. It was actually the audit committee who asked us for this quantitative data rather than qualitative data. I still don’t know whether I’m satisfied that we are truly measuring the effectiveness of our program, and we are looking into what data and how AI could help us get to a more accurate measure of effectiveness. TF: In the report, we asked the question: How has your organization responded to the challenges of the past few years? Some of the examples we offered were the pandemic, the war in Ukraine and general global economic instability. And we had some interesting responses. Have there been things that you’ve rolled out over the past few years in the face of these new challenges that are now part of everyday practice? Or things that have made a marked improvement in how you operate your program?

10 Compliance Execs Join First Wall Street Journal CCO Council Compliance executives from a range of industries have joined the newly launched Chief Compliance Officer (CCO) Council, sponsored by The Wall Street Journal. Founding members of the invitation-only panel are: • Martin Åberg , chief compliance officer, Assa Abloy • Amanda Archibald , chief ethics and compliance officer, Equinor ASA • Cecile Alibert , chief compliance officer, DB Schenker • Liz Atlee , senior vice president, chief ethics and compliance officer, CBRE • Funmi Olorunnipa Badejo , head of compliance, Palantir Technologies • Nancy Grygiel , senior vice president, worldwide compliance and business ethics and chief compliance officer, Amgen • Imogen Haddon , chief compliance officer, News Corp • Manuel Liatowitsch , group general counsel and chief legal officer, Ringier AG • Matt Miner , executive vice president, global chief ethics and compliance officer, Walmart • Cindy Moehring , founder, executive chair, Business Integrity Leadership Initiative, University of Arkansas, board member, former U.S. chief ethics and compliance officer, Walmart Members will have access to trusted content, networking experiences, peer-to-peer knowledge sharing and a robust calendar of global events, including the inaugural CCO Council Summit on May 2 in London. The CCO Council is led by Nicholas Elliott, head of communities at Dow Jones Risk & Research, who previously served as the founding editor of the WSJ Risk & Compliance Journal. The council joins the publication’s other C-suite executive memberships: the CEO Council, CFO Network, CIO Network and CMO Network.

IH: Yes, Covid made us realize that communication is key to compliance.

One major improvement to our program is that we started up a monthly newsletter called Compliance Connect, which says what it does on the tin. This is sent out to almost 2,000 people at News Corp. It’s a short newsletter, but it tries to feature a focus piece on what we’re thinking about in any month and a date to remember. I actually sent one out today, and it’s all about antitrust this month and the use of dynamic pricing algorithms. It’s something that the DOJ and the FTC are taking a particular interest in and something that is relevant to News Corp. Another feature of the newsletter this month is that we’re reporting on information governance and where you can find your policies.

Q&A: Ty Francis + Imogen Haddon

corporatecomplianceinsights.com | 25

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40

www.corporatecomplianceinsights.com

Made with FlippingBook Ebook Creator