Five years ago, Dell's compliance leaders were siloed, engaged in similar endeavors at different business units, but not well-coordinated across the organization. These 20 or so executives recognized they needed to collaborate better, said Page Motes, director of the strategic programs office for global ethics and compliance at Dell.
“We said, ‘Let's get to know each other really well and connect as routinely as possible,'” she said.
Motes and Kristi Kevern, director of operational compliance, explained at the 2013 Compliance Week conference in Washington, D.C., how Dell revamped the compliance function by focusing on collaboration and policy management.
The group of leaders jokingly called itself “the coalition of the willing,” Motes said, but its formal name is the Global Compliance Forum. It took on new life in 2011, when Dale Skivington became Dell's executive director of compliance and privacy and began convening the GCF quarterly to discuss risk, regulatory trends, and other compliance issues.
Now that members were talking, they could compare notes and gain momentum to take on bigger compliance issues. They quickly discovered that Dell's compliance policies varied considerably throughout the organization, creating confusion and inconsistent practices.
“If we can come together and agree on the structure, scope, and wording of some of those key sections of policy…we will be much more aligned,” Motes said the compliance group realized.
Accordingly, Kevern's team, in collaboration with the GCF, began a nearly three-year process of creating a new policy development and deployment practice. Trial and error were part of the process, Kevern said, but policy making and policy management are now light-years beyond where they were when she came on board in 2006.
Back then, Kevern recalled, she received an e-mail from an executive on a new expense reporting policy. The problem? The policy was contained only in the e-mail, and Dell's own records retention rules prevented employees from holding on to it for too long.
That's no longer the case. Today, Dell has a highly structured, streamlined process for developing, vetting, and implementing compliance policies company-wide, not to mention a central online repository where employees can access them.
Breaking It Down to Build It Up
Kevern's team started with the fundamentals: How do we define a policy? The term frequently applied to various memos and documents. Managers often were unsure¾was a certain “policy” official? Without a vetting process, policy development slowed, sometimes for years, because no one knew who had approval authority. Some policies conflicted, creating confusion among employees. Most seriously, those weaknesses exposed Dell to compliance risks.
“We didn't know if we had the right policies in place to address risk areas,” Kevern said.
The team set about building an infrastructure, starting by defining policy, and expanded outward. They clarified the roles of supporting standards, business procedures, and controls, and then identified 22 compliance domains policies should support, from data protection to international trade.
The group created checklists to drive policy development consistently. These also required each policy to have executive sponsorship, eliminating confusion over who owned each of the policies.
Kristi Kevern, director of operational compliance at Dell (left), and Page Motes, director of the strategic programs office – global ethics & compliance, at Dell, discuss what goes into a viable corporate compliance policy.
The process sounds simple, but it came with plenty of challenges, Kevern said. For one, other departments were simultaneously driving their own policy management initiatives. That meant bringing teams together to coordinate approaches. What's more, Dell made more than 20 acquisitions while the effort was underway. Each brought with it a new business and new management that Dell needed to bring up to speed with the evolving program, and a new set of legal considerations.
“Today, we have a robust process, but it took a while to get there,” Kevern admitted.
The GCF is the first line of defense in vetting proposed global corporate compliance policies. The group makes sure policy owners follow the process and provide valuable feedback.
“We really want to make sure we're always coming back to the core question: What value does this add? Why should people care and change their behavior?”
—Page Motes,
Director, Strategic Programs Office,
Dell
“If it doesn't make sense to them the way a policy is structured and articulated, then it won't make sense when it comes to enforcing or rolling out the program,” Motes said.
Once the GCF signs off, policies go to the executive risk steering committee for an official blessing. Controversial or high-impact policies go to the global risk and compliance counsel. The counsel got involved, for example, when Dell broadened its anti-corruption program to encompass not only the Foreign Corrupt Practices Act, but also the U.K.'s Bribery Act.
The value of the new system, Kevern said, is that it forces policy owners to think through all aspects of crafting strong policy, including implementation, training, controls, and business processes.
“The policy is the cornerstone of the compliance programs at Dell,” Kevern said. “Once we were confident we had the right policies in place, we could then leverage them to start working on other components of a particular compliance program.”
Supporting Policy With the Right Tools
As compliance officers know, a policy that is “great on paper” is just that. Motes' job is to take those newly minted policies and “get people to do something about it.” That means communication and training, but more importantly, integrating expectations into behavior and culture.
It's no surprise Dell supports policies with technology. The automated SPIKE program, for example, supports anti-corruption policies on product evaluation. Dell's product development calls for it to lend equipment to market testers, who return it with feedback. The problem is the potential for misunderstanding that such loans constitute a bribe.
“Unless you've got serious rigor around the giving and getting back of those evaluation units, it certainly could look like a gift,” Motes explained.
SPIKE automated the process and brought consistency to offices worldwide. “If you use this tool, you will be in compliance,” Motes said.
SPIKE also yielded a business win for sales teams, reducing 45 manual processes to six automated processes. Such wins lead to buy-in and encourage employees to change behavior, Motes said. Amazing tools are one thing; what matters is whether employees use them: “People have to understand why it adds value to their life. Not just to Dell's life¾to their life. That's a big distinction.”
In Motes' view, compliance officers are not necessarily suited to convey policies in a way that resonates with employees. They may know their stuff, she said, but their specialty is drilling down into minutiae.
“My job is to take it back up to 100,000 feet,” Motes said. “When we do the training, I don't want to mention the law. The law doesn't matter. It's what behavior needs to change to meet the needs of that law or go beyond it that matters.”
POLICY STATEMENT
Below is an excerpt from Dell's policy statement provided at the CW 2013 conference.
The purpose of this policy is to prohibit conduct that may violate the anti-corruption laws of the jurisdictions in which Dell operates, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act of 2010. You must comply at all times with the anti-corruption laws of the countries in which Dell conducts business.
Specifically, You are prohibited from:
i. Giving, paying, offering, promising, or authorizing the giving, paying, offering or promising of
ii. any Item of Value
iii. to any individual
iv. with the Corrupt Intent of wrongfully influencing the individual to misuse his position (or influence someone else to do so), or rewarding the individual for having done so, whether the misuse of position is by action or omission
v. in order to help obtain, or retain business for Dell, direct business to Dell or any other party or otherwise to secure an Improper Business Advantage.
You are also prohibited from soliciting, accepting or receiving, directly or indirectly, any payment of money or other Item of Value for your own benefit or the benefit of anyone else in return for improperly directing Dell business or assets or otherwise in return for the improper performance of your job responsibilities or misuse of your position at Dell.
Falsification or deception in connection with the creation and maintenance of Dell's books, records and accounts, or entries therein, whether by alteration, destruction, omission or false or misleading recording is strictly prohibited under this Policy Statement, as is the creation or maintenance of any undisclosed or unrecorded funds, assets or accounts or payments made or received. You are required to:
i. Make and keep books, records and accounts (including supporting documentation) that accurately and completely reflect Dell's actual operations, transactions and other activities, including requests for payments, expenses, disbursements, and disposition of assets (false or misleading entries are prohibited); and
ii. Uphold Dell's system of Internal Accounting Controls to ensure that, among other objectives, all, payments, transactions, expenses, disbursements and disposition of assets are i) executed in accordance with management authorization, applicable legal and regulatory requirements and Dell's Finance & Accounting policies & procedures, ii) properly and completely recorded and accompanied by appropriate and accurate supporting documentation, and iii) facilitate the accurate reporting of Dell's financial statements in accordance with Generally Accepted Accounting Principles (GAAP).
You are prohibited from doing indirectly, whether through a third party or otherwise, what you may not do directly under this Policy Statement.
Source: Dell.
Connecting Principles to Behavior
When Motes built her team a few years ago, she decided that instead of compliance officers, she wanted experts in marketing and management training. Motes herself has experience in sales and adult education, in addition to ethics and compliance.
Her hires have paid off in successful policy implementation: “The work they've put out has been much more well-received by our employees than anything we had done prior, because it's more thoughtful.”
The goal is to speak employees' language, Motes said. “We really want to make sure we're always coming back to the core question: What value does this add? Why should people care and change their behavior?”
One strategy is using vocabulary that helps people connect principles to behavior. That means no legalese, no vague concepts like “ethics.” Instead, employees hear about honesty, respect, courage, and responsibility. “[These] are behaviors,” Motes said. “People understand behaviors.”
She also credited a stronger partnership between the GCF and internal auditors. In the past, audits did not always reflect priorities of GCF members. Now, the group has a unified voice to express those and a better relationship with audit to pursue them.
“Audit is a huge partner for us,” Motes said. Auditors now ask the GCF, “Where are you seeing hot spots? Where do we need us to put extra eyes? What kinds of things do you think we need to be considering?”
The GCF today looks much different than it did five years ago, when it was a loose collection of colleagues who knew little about each other's day-to-day challenges. By getting out of their silos and coming together, Motes said, members have made measurable progress.
“The GCF is putting more consolidated and organized input to the bottom-up and top-down [enterprise risk management] process every year,” she said.
No comments yet