“In the current environment, [the] stakeholders are demanding that companies exercise leadership on a broader range of issues.  And they are right to: a company’s ability to manage environmental, social, and governance matters demonstrate the leadership and good governance that is so essential to sustainable growth, which is why we are increasingly integrating these issues into our investment process.” 

Larry Fink, the Founder, Chairman and Chief Executive Officer of BlackRock, wrote these words in his annual letter to CEOs. 

BlackRock is the world’s largest asset management company, with $6.3 trillion in investments.  Mr. Fink’s letter speaks to the changing face of investor’s focus – not simply from quarterly returns and financial performance – but to governance and the long-term profitability of corporations that focus on ethical behavior and corporate culture.  

Expectations are Higher

Investors and asset managers care increasingly about corporate culture for good reason: it drives profitability.  For example, before the firing of one CEO in a high-profile case last year, it was reported that staff turnover in the organization was 30-40 percent per year.  When employee churn is that high, the cost of recruitment and business management goes up substantially, draining profitability, which can lead to unrelenting pressure on sales and tolerance of misbehaviour of high-financially-performing leaders.  

In an article titled, “Sexual Harassment is Becoming a Serious Investor Risk,” Barron’s cover story noted, “Companies that tolerate or cover up sexual harassment, perpetuate a culture that fosters it, or fail to provide proper avenues for employees to report concerns and offenses, could pay in multiple ways, from difficulties in attracting, retaining, and motivating talented workers to customer defections, ruined business deals, and lost revenue and profit.”

Since Friday is the big day that GDPR officially comes into force, I thought I’d ask my good friend Patrick O’Kane for tips on how to make GDPR less painful! Patrick is an in-house Data Protect Officer, and the author of the fabulous book, GDPR: Fix it Fast! 

Click Here to buy GDPR: Fix it Fast on Amazon

As an in-house lawyer and Data Protection Officer for a Fortune 500 company, I have experience in trying to engage different departments such as HR, Marketing and Legal in the sometimes grim area of data protection. You are never going to be the most popular person at the office Christmas party when you hold my job but if you make your GDPR project practical and engaging you can get on the right side of the law, win the trust of your customers and avoid those much-hyped fines. 

Running an effective GDPR compliance programme means you must change some of your processes and operations to align them with GDPR. You must also educate the people in your company all the way up to the boardroom on what they will have to do, and avoid doing, in order to avoid its mammoth fines.

Some of the GDPR tasks are going to be painful. Here are some tips on how to make them less painful.

Making data protection fun

Let me tell you a story; I once had to give a three-hour lecture on data protection to a group of millennials at my last company. They were looking forward to it about as much as one looks forward to root canal treatment. I came armed with 40 slides bursting with legal information but I had not made the effort to make my presentation in the least interesting. Just as I was about to be booed offstage it finally dawned on me that when you are preaching data protection you have to, first and foremost, make it engaging.

“What are other companies of our size doing?”  This question plagues compliance officers in all corners of the world in all industries.  Benchmarking our programs and getting concrete information about what others are doing is critical to making our program a success.  But it can be difficult – where do we find the data we need?

Unfortunately, there is no one source for all data.  However, there are plenty of places to find information.  These include:

1.      Society of Corporate Compliance and Ethics Surveys

I’ve been using the SCCE’s data and survey results as a benchmarking tool for years.  They have salary surveys, surveys on how compliance interacts with the Board - even surveys regarding staffing and budget.  This is my go-to source to start any benchmarking exercise. (full disclosure – I’m on the Board of Directors at the SCCE – but I still love and use their material!)

2.      Compliance Vendors Surveys

Compliance vendors produce some of the best surveys and reports.  Steele Solutions, NAVEX Global, GAN Integrity and others create outstanding reports.  Even better?  They often offer webinars going through the results of their surveys.  Sign up for their lists, and download their materials, even if you don’t need the data right now.  By gathering the information before you need it, you’ll be ready to respond when the C-Suite, Board, or management requests for benchmarking information.

3.      Conference Presentations

Do you need a compliance program evaluation?  And if so, should it be done by an outside party?  It can be scary to allow an outsider to perform an assessment.  I know this first hand – when I was in-house, I remember being deeply uncomfortable when we brought in the evaluators.  Would the assessor say my program was terrible, which would embarrass me or make me look bad?  Would they say everything was great, when I knew there were unresolved problems, and then management wouldn’t hear my requests for more resources?   Was it worth subjecting myself and the program to a review?

The short answer is yes, it was not only worth it, my program benefitted for years to come.  Here are four reasons why that’s true:

No. 1: Program Evaluations are Expected Under Regulatory Guidelines

Make no mistake, the Federal Sentencing Guidelines say that to companies need to “evaluate periodically the effectiveness of the organization's compliance and ethics program.”  Likewise, ISO 37001 requires auditing of the anti-bribery program on a regular basis.  Obtaining and maintaining certification requires it. 

There’s good reason regulators expect program reviews, because you can’t improve without them.  Why is it critical to have an external reviewer? Because…

No. 2: You Can’t Effectively Audit Your Own Work

The number one rule of auditing is that you can’t audit your own work.  Why? …

I’m in Dubai today, and this morning, on the television, the news feed featured a line of hundreds of young men waiting for their chance to see the FIFA Trophy as it winds its way through Russia before the World Cup starts later this year.  That’s the second time I’ve seen FIFA in the news this week.  Four days ago, I read that the FIFA Ethics Committee announced its lifetime suspension of Brazilian Football Confederation president, Marco Polo Del Nero, who is currently under indictment for his alleged part in the sweeping FIFA corruption case. 

Do the kids in line to see the trophy know or care about the bribery committed for years within the FIFA organization?  For the most part, I doubt it.  But that’s not the point.  The point is that FIFA could have done better.  Their leaders didn’t need to give or accept bribes.  The money that was taken could have built better stadiums, been invested in community teams, produced skills academies, or simply been given to schools.