The following discussion is based on a December 7, 2006 Roundtable in which compliance leaders from four global companies discussed their multinational ethics and compliance programs. Dennis Muse, CEO, Global Compliance, moderated the discussion that included Tom McCormick, Director, Global Ethics & Compliance, The Dow Chemical Company; Jacki Trevino, Program Manager, Corporate Ethics & Compliance, Dresser Industries; Jay Mumford, Corporate Ethics and Compliance Manager, Accenture; Jack Lenzi, Chief Compliance Officer, Altria Group, Inc.; and Shannan Hillier, Manager, Compliance Systems, Altria Group, Inc.
Dennis Muse, CEO , Global Compliance: Let’s start with a key issue - risk assessment. Tom, how does Dow address risk assessment for compliance and ethics worldwide?
Tom McCormick, Director, Global Ethics & Compliance, The Dow Chemical Company: Dow is always conducting risk assessments. Most of them have addressed subjects that we would consider relevant to ethics and compliance. For example, we have done business risk reviews periodically for each business or for a new product application, market or geography. We have also done risk assessments for liability and regulatory concerns.
But these have not always been done consistently, nor were the results and the lessons learned effectively leveraged across the company. So we gradually improved them by increasing our cross-functional processes. And then we increasingly used the regional ethics and compliance committee structure in 14 geographies to identify compliance risk in the regions and to develop action plans to mitigate those risks.
Muse: How do you now coordinate reviews across regions?
McCormick: At the beginning of 2006, we decided to develop a more robust and standardized ethics and compliance risk assessment process. We’ve developed a variety of tools for that process and have begun to work through records management, records retention schedules and more. It is a combination of a standardized process for the ethics and compliance risk assessments, as well as standard tools that we will leverage across the company.
Muse: How will you implement the plan internationally?
McCormick: Since our company is highly centralized, we will start with pilots of the risk assessment process, and adjust them as necessary. We will implement the process in three ways—in the global businesses, in the functions and in the geographies. Because of the way we are organized, as we drive the risk assessment process into these areas, we will have some initial overlap in the business and the geography. We will assess how those overlaps occur and then try to eliminate them along the way.
Muse: How does this process relate to Enterprise Risk Management, or ERM, at Dow?
McCormick: We are integrating our ethics and compliance risk assessment process with the overall company ERM. We are already working with the people that have responsibility for ERM, so the ethics and compliance risk assessment process will inform ERM and vice versa.
We are also coordinating our risk assessment process with other company processes that have some ethics and compliance elements, such as SOX 404 assessments. We can help the overall ERM process to get beyond thinking in the organizational box. For example, when we started doing ERM, the company would look at corporate social responsibility or reputation and think that those things were owned by one aspect of our company, rather then realizing that, for example, ethics and compliance issues could severely impact both our CSR activities and our reputation.
Muse: Jacki , how does a decentralized organization like Dresser address risk assessment globally?
Jacki Trevino, Program Manager, Corporate Ethics & Compliance, Dresser Industries: This year, based on direction from our audit team and board of directors, we created a common approach to risk assessment where the ethics and compliance, internal audit and SOX teams could work together. We developed a four-phase project. In Phase One, we launched an anonymous employee survey across the globe. We asked general cultural questions. We felt correctly that ensuring employees’ anonymity would produce a better response rate as well as honest answers.
In Phase Two, we launched a diagnostic survey of 250 senior management employees. If they were in sales or marketing, they received specific questions related to sales activities. If they were in HR, they received specific questions about key HR issues. We learned whether we had not only specific geographic locations that might be a high risk, but also about specific business segments where we needed to do more focused training.
We followed up with structured interviews. While the Phase One surveys were anonymous, in Phase Two we told people that they couldn’t be completely anonymous because we asked openended questions and we wanted to ensure that if a potential issue was raised we could follow up with them. We reviewed the results and pinpointed areas where we needed to do structured follow-up.
Muse: How did you analyze the various geographic responses to the cultural survey?
Trevino: We began by prioritizing the risks identified through the compliance diagnostic survey and the culture survey. They produced very different results. Obviously, the cultural survey results told us whether or not our employees were familiar with the Code of Conduct and what type of culture we have in each of our locations. With the diagnostic surveys, we were able to identify specific potential risks, for example in FCPA or import/export controls.
After we prioritized these risks, in Phase Three we held facilitated management sessions at each of our U.S. business unit headquarters. We sat down with their management teams to discuss the results and gain their buy-in and feedback.
In Phase Four, we developed our action plans and reported this information to management and our Board of Directors. Now we are working closely with our management teams to put objectives in place to address these risks and develop a strategic plan for 2007.
Muse: Will you share some key findings with us?
Trevino: We were able to identify that 96% of our employees are familiar with our Code of Conduct; however, only 76% are aware that we have an anonymous reporting hotline. This tells us that we need to promote our Integrity Line better. The key finding from our global risk assessment was the data we collected on specific geographical locations, which allowed us to pinpoint specific locations that need education in target areas. It also gave us an insight to customs that are “standard” in some countries that may or may not be “standard” in the U.S.
Muse: Let’s turn now to Codes of Conduct. Jack, how did Altria go about developing an entity-wide global Code of Conduct?
Jack Lenzi, Chief Compliance Officer, Altria Group, Inc.: It started in 2002 when we began to develop one official document for the entire Altria enterprise. In Step One, we expanded and formalized existing corporate standards. We tried to create a single employee reference guide to which people could turn if they had questions about actions they were undertaking or being asked to undertake. We also emphasized developing something truly reflecting our corporate culture.
First, we developed the Code of Conduct. It’s about 48 pages, but it is not a list of corporate policies. It is actually written by people for people in an intentional effort to humanize the Code. We began with an English-language-only Code of Conduct, which we distributed to about 20,000 core employees in all of our companies at management level and above. We supported the rollout with a new global Code of Conduct web-based training program. Then we needed to somehow reach the remaining 140,000 employees.
Muse: What challenges did you face in getting all employees to understand the Code?
Lenzi: We strongly suspected that one size would not fit all; that the 48-page document, while comprehensive, just didn’t fit our diverse mix of employees, given different grade levels, language, culture and, maybe most importantly, their experiences, skill sets and responsibilities. So in Step Two we translated our full Code of Conduct into five languages and also prepared translations of an eight-page Code Overview and a two to three page Manufacturing Center Overview. Examples can be found on Altria.com. We also did 18 employee focus groups in six countries in all three of our companies.
Muse: What did you learn?
Lenzi: We had terrific feedback. We learned that in the overwhelming majority of cases, the Code Overview was preferred to the full Code and that manufacturing centers essentially needed something different. There was a near-universal request for the abbreviated version of the Code in native languages, and many respondents also wanted the full Code in native languages where possible.
The research had important implications for our global efforts. One of those implications is that we need to develop and tailor Code content for specific employee audiences. We also need to have a global working group to pull together the content and the strategy, with specific execution of that strategy by the individual operating companies.
Muse: How did you distribute the Code and educate employees about it?
Lenzi: All Code versions were distributed between late 2003 and late 2004. Philip Morris USA took the lead in developing the Manufacturing Center edition and creating a manager’s communications toolkit. The eight-page overview for Philip Morris International was translated into 25 languages and distributed to about 20,000 employees, while the translated Manufacturing Center edition went to more then 22,000 employees.
Kraft Foods started by developing 12 full Code translations and posting them on the Kraft intranet. Then they developed 22 language versions of the Code Overview and distributed it to 90,000 employees globally. While this took longer than the one-size-fits-all approach, and there were expenses for employee research and translations, we felt we achieved our goal of globalizing our Code of Conduct and trying to reach all employees with the most relevant content.
Muse: Jay, what goals did Accenture have in implementing its new Code of Conduct?
Jay Mumford, Corporate Ethics and Compliance Manager, Accenture: Until September 2006, Accenture had a Code that was probably 100 percent legally accurate, but it wasn’t necessarily relevant to many of our employees. We knew that employees were aware of the Code, but in focus group work we learned that the Code, while accurate, wasn’t useful to the average employee. And so, early this year, we had the go-ahead to rebuild our Code of Conduct.
Two main themes developed. One resulted from the CEO asking me for something he could teach from, which ties into an important theme within Accenture—the idea of leadership and the ability to teach others and to learn at any level of the company. The other main theme of the Code of Conduct was the idea that it was built on the foundation of our core values.
Within Accenture, we’ve had six core values since 1993 or 1994, which are well-known by the employee base. We knew that the old Code was not connected well enough to the core values. The challenge was how to make that connection within the document in a way that would be globally relevant.
Muse: What process did you follow to accomplish these goals?
Mumford: We built our six core values into the document through what we call “action statements.” Each core value has a major section with a summary statement of what that core value means. The action statements include detailed text providing further guidance and information on each value. This structure made sense to our employees. We also included Q&A’s throughout the document and set them off in an orange color and a larger font so they are easy to find and read.
Muse: How did you internationalize the Code? Did you translate it?
Mumford: We are translating the Code into 16 languages, plus English. We decided, based on input from the field, to have a European Portuguese for Portugal and a separate Portuguese version for Brazil. Also, our Spanish employee base indicated that we should have a Spanish version variant that is more attuned to colloquial usages in Latin America, so we actually have two Spanish versions. That decision was created by giving local executives the ability to say, “Make this really relevant to us, this is what we need to do.”
Muse: Shannan, how have you internationalized your Code of Conduct and other compliance and ethics training?
Shannan Hillier, Manager, Compliance Systems, Altria Group, Inc.: In 2003, in conjunction with our Code distribution, we rolled out our first course, which was our English custom Code of Conduct training, and that is the foundation of our program. We rolled out other modules per our training topics risk assessment in 2004. We also moved into Phase Two of our program, which was translating the risk-based training courses, and rolled out translated modules beginning in early 2006. To date, we have translated seven of our 28 unique courses in as many as 26 languages per course, with 78 translated versions available. And where necessary, we have also internationalized these courses to incorporate global names, accents and customs.
