Using Code Of Conduct Training To Spot Compliance Risk

(0:56) A majority of the world. (0:58) So, very special company rests at the very bottom of the ecosystem, (1:03) just in terms of it starts at Arm and (1:06) it filters up through the rest of the technology that we all use. (1:10) So, really happy to be here.

(1:12) In terms of compliance, there is never a dull day in the world of compliance. (1:18) Well, and then given kind of the place and the ecosystem that Arm has, (1:23) I can imagine that managing and fostering and (1:28) encouraging the ethics and compliance of all of the employees, (1:33) the partners, the suppliers is quite a tall lift. (1:37) So, excited to hear your thoughts.

(1:40) Just quickly, before we get started here, would love to have folks listening in, (1:46) let us know if part of your remit to your businesses is managing compliance. (1:53) That would be helpful. (1:54) And then, quickly, just as a little side conversation, (1:57) Michael and I were just talking about this in the green room, if you will.

(2:01) There’s two ethical scandals happening right now. (2:05) There’s GrubGate, which is the people at Meta, there’s about 24 people, (2:11) I guess, that were using their meal vouchers to buy personal items (2:16) that were not meals when they were at work. (2:19) And there’s this big, you know, kind of controversy as to whether or (2:23) not they should have been let go.

(2:25) And then, as we’re watching that just today, EY, Ernst Young, (2:30) hit the news because an issue very near and dear to my heart, (2:36) there were people found to be kind of gaming their compliance training, if you will. (2:40) So, they had several monitors up taking several different courses at the same time, (2:46) and those folks were let go. (2:47) So, I’d be curious to hear from folks listening in if they felt like those employers, (2:57) Meta and EY, made the right decision, because there seems to be some controversy.

(3:01) You know, I don’t know. (3:02) I don’t know all the facts. (3:03) But, so, just go ahead and weigh in as we’re chatting.

(3:09) And, Michael, I wanted for you to get us started by kind of summarizing, if you would, (3:17) the Department of Justice came out last month with new guidance. (3:23) And, you know, they published, I think this is their second kind of advisory memo (3:31) to all businesses and certainly all ethics and compliance, you know, (3:37) professionals and practitioners about what they expect to see in programs and in training. (3:43) Can you just give us a little, like, (3:45) cliff note version of what they’re asking all of us to do? (3:49) Certainly.

(3:50) And, for anyone in the audience who hasn’t read the memo, it’s an easy read. (3:54) It’s a great read. (3:55) I would definitely check it out in its entirety.

(3:58) As relates to training, really what the DOJ is asking and demanding is that we don’t, (4:05) as ENC professionals, take a static view of training anymore. (4:08) I can remember, you know, maybe even five to ten years ago (4:11) where compliance training was really just how quickly can you get out the main points (4:16) that you need to talk about in terms of FCPA or what have you. (4:20) DOJ is really challenging us to, first of all, really understand the nature of the business.

(4:25) It’s really not a one-size-fits-all equation anymore. (4:30) Really understanding what risks are present for your workforce, (4:34) what risks are present for your supervisors, and really kind of personalizing (4:38) and tailoring your training towards that. (4:41) Yeah.

Why don’t we, JR, if you would, can you put our, we have a few slides to share with folks (4:50) and put that on the main stage, too. (4:53) Thanks. And so, I just want to show this for folks.

(5:00) So, there is a link here, and actually everyone will have access to these slides, (5:05) but that’s the link to go ahead and take a look and download (5:09) that memo that Michael just referenced. (5:13) So, you know, again, the DOJ is looking, Michael, I talk about it as like first generation (5:19) versus second generation of compliance programs and online training. (5:24) So, the first generation, it was pretty static.

(5:27) As you said, it was just pushing out information and just the top points. (5:31) And, you know, it was interesting for me to see that the DOJ is basically asking for things (5:37) that we’ve been doing at EMTRAIN, which is this whole listening while you learn. (5:43) So, can we put the link in chat? (5:46) I think that’s totally right, and the DOJ doesn’t, and we see this in a lot (5:51) of different areas, not just compliance training.

(5:53) But the DOJ, the government, the SEC, all these agencies, they really don’t live under a rock. (5:58) They really are following the technology, and they’re following the capabilities (6:03) that are out there, so it’s really up to us to keep upping our game in this area. (6:07) Yeah, because some of the things that they’re asking for in that memo, I’m sorry, Mary, (6:12) can’t, maybe GR can’t get the link to put it in the chat, (6:16) but you’ll have access to the whole slides.

(6:19) Some of the things that they’re asking for is, you know, is the company using data (6:23) to understand where the hotspots are? (6:24) Is the company using analytics to determine, you know, where there are issues on behavior? (6:33) Where there are, you know, kind of a heat map, if you will, and to, you know, (6:42) demonstrate that they are proactively trying to stop misconduct. (6:47) So, it’s just some things to think about. (6:50) So, Michael, let’s, you and I had talked about a few steps, (6:53) just kind of simple foundational steps for all E&C professionals to think (6:57) about when they’re trying to spot and manage and reduce risk.

(7:03) And step one, you know, just take us through step one. (7:07) Step one used to be very simple. (7:11) There was really, there was kind of a disconnect between the E&C professional in a sense (7:16) and the business in a sense that the E&C program really was kind (7:21) of like almost plug and play a decade ago.

(7:25) Now, it’s really requiring professionals like us to really understand our business, (7:31) understand the risk, and when we look at the risk, it’s not just, you know, okay, (7:38) there’s an FCPA risk or what have you. (7:40) It’s actually being able to understand the behaviors, (7:43) being able to understand the different geographies in your business that are impacted. (7:47) It’s really being able to understand, hey, what are weaknesses in our training (7:52) where we’re seeing, you know, certain trends, whether it be technical compliance issues, (7:57) whether it be cultural, and one thing that using Emtrain has allowed us to do (8:04) for our program is to do that all in one spot essentially.

(8:11) Yeah. Excellent. (8:14) I mean, so, you know, what I hear you saying is kind of maybe a two-step process for step one, (8:22) which is, you know, what type of business is it? (8:25) Where are the regions? (8:27) What are the issues that, you know, present compliance regs, right? (8:32) Like, so, you know, are you doing business around the world? (8:35) Are you shipping goods and then it’s global trade? (8:38) Are you, you know, doing agreements with different, you know, (8:43) people all throughout the world and you’ve got FCPA issues and global anti-bribery issues? (8:47) So, just think about the business and then think (8:50) about the correlating compliance issues and regulations that that poses.

(8:56) And then as you said, Michael, think about the behaviors that go along with that business (9:01) and then the behaviors will probably start to inform a whole secondary set of compliance risks. (9:08) And also, Janine, one thing that I forgot to mention is that this whole idea (9:13) of being able to create a heat map, I think a lot of us really struggle, (9:20) and I’m actually working on these materials now for reporting to the audit committee, (9:23) reporting to the compliance committee, but being able to really design (9:28) and show graphically where are your hotspots, where are issues that you’re having issues (9:33) because where are the places you’re having issues because we really have (9:37) to be able to bring our first line of defense and our second line partners along for the ride. (9:42) You know, I think a lot of us have really, you know, small infrastructure in terms (9:48) of compliance relative to the rest of the business.

(9:50) For sure. (9:51) So, bringing others along is critical. (9:54) So, I love that, Michael.

(9:56) You’re so right. (9:57) So, the collaboration. (9:58) So, one, you know, even the largest organizations, (10:02) that compliance team is always a small team typically.

(10:07) And so, you know, what the DOJ and other agencies are asking for in terms (10:13) of data analytics frankly is needed because there’s no way a small little team is going (10:18) to be able to see everything that’s going on and then collaboration with the partners (10:25) that are in operations in the trenches to help spot issues. (10:32) But the second, kind of second step is for every, you know, so first you’ve got your table (10:38) or your list if you will of compliance risks, right. (10:42) For each of those risks, identify, I’m going to put my investigator hat on, you know, (10:49) identify the behavior that you’re looking for that you know is going to cause, you know, a risk.

(10:57) So, like the easiest that I can think of is, you know, let’s just say a cybersecurity risk. (11:05) You know, do people know, don’t click on attachments from people, from unknown senders, right. (11:11) That’s a behavior you want to watch for because if that’s happening, (11:15) you all of a sudden have cybersecurity risks.

(11:19) Another one would be, you know, classic is conflicts of interest. (11:23) Do people have the critical thinking abilities to know, okay, (11:31) this might be personally beneficial to me, but at the detriment to my team or my organization? (11:38) That’s exactly right. (11:41) And so, we like to think about, I mean if I move on here, let’s see, what is this? (11:51) Well, and I think along those lines, Janine, is really once you identify those risks, (11:57) being able to personalize training for those audiences.

(12:01) So, to bring this to life at ARM, we are a heavily, heavily engineering focused company. (12:07) I think in the most recent publicly available information I saw, (12:11) over 80% of our workforce are engineers. (12:15) So, with that, brings along risk in terms of working with universities.

(12:21) Lots of times people want to serve as adjuncts or give certain speeches, things of that sort. (12:28) We have to be able to, you know, develop and give them training that helps to mitigate those risks. (12:36) So, that’s really helpful.

(12:38) So, and I’m guessing here, Michael, but I’m surmising based on what you said that, you know, (12:44) to the extent that some of your engineering members, team members are, you know, (12:50) serving as adjuncts or speaking, you know, are they careful (12:56) with proprietary confidential information of ARM, for example? (13:00) Like, that might be a risk, right? (13:02) So, am I getting that right? (13:07) Is that the concern? (13:08) You’re exactly right. (13:09) And as an IP company, you have the risk of people sharing IP inappropriately. (13:15) Exactly.

(13:16) Especially in a university setting where everyone’s like, oh, we’re just here to learn. (13:20) So, understanding your different types of workers or different types of employees (13:27) and their behaviors and what they do and what they’re exposed to, and then developing support (13:33) and teaching that’s super relevant, super focused for each different group is key. (13:41) It’s key.

(13:43) And along those same lines, understanding the special role of managers as well and being able (13:50) to educate our managers properly to help mitigate these risks, too, (13:54) because they really are in the trenches with these folks, too. (13:58) And so, anything in particular that you want to kind of tease (14:02) out about how you’re enabling the managers to proactively kind of support everyone? (14:10) Yeah, it’s a multi-pronged effort. (14:13) Some of it is using training that we’re able to use through the platform, (14:18) which is always very helpful.

(14:19) Additionally, being able to craft concise messaging. (14:26) A lot of what we’ve gotten from our manager workforce is, hey, A, we’re super busy, (14:32) but we want to do the right thing, but we don’t want a lot of fluff. (14:36) We want trainings to be concise.

(14:39) We want messaging to be concise. (14:42) So, that’s really kind of our challenge in E&C is making sure (14:45) that we’re giving people what they need and how they want it. (14:48) Yeah.

Renee just asked a question that I thought was very timely, very relevant. (14:53) Thank you, Renee. (14:53) So, with the, and Michael, you and I were just talking about this the other week.

(14:58) So, with the proliferation of AI, is the word IP going to have less meaning in the future? (15:07) You know, I’ve got a couple of comments on that. (15:09) Maybe let me start with you, Michael. (15:11) What were your thoughts? (15:13) I think the hope for companies like Arm and others is that we keep improving the level (15:19) of security, how we can protect IP, how we can protect against things like scraping, (15:25) how we can minimize IP pollution internally to prevent that.

(15:31) But I think that’s definitely a fear. (15:34) Once it’s in those algorithms, you can’t get it back. (15:38) Yeah.

So, and maybe I’m being naively hopeful here, but I know that, you know, (15:46) here in California, Governor Newsom just had a bunch of bills on AI. (15:52) I think he signed one, passed on another, but more are coming, I’m sure. (15:59) I think, you know, a lot of us have experienced the last decade (16:03) of not having well thought out, or frankly, any regulation on social media and data.

(16:12) And because of that, we’ve learned our lesson. (16:17) I think there is going to be some regulation on AI, because we know that, I mean, you know, (16:26) I think most societies, not all, but most societies value creators being able to create (16:34) and, you know, get the value of their creation, at least, you know, for some time. (16:41) So, I believe that there will be some regulation to support the creators (16:46) in our market, in our economy.

(16:50) I want to move on, though, but thank you, Renee, for that question. (16:55) So, this is just an example. (16:57) So, before, I was showing, you know, our 16 skills, and under E&C, (17:04) we’ve got four kind of primary skills.

(17:07) But then we have, you know, a kind of secondary to that, (17:14) a lot of very granular risk type questions about people’s behaviors. (17:21) And this, Michael, I think is kind of what you’re talking about with the engineers talking (17:25) to universities, right, and this is a very basic example of, you know, showing, you know, (17:31) a scene of somebody just submitting for expense reimbursement, which is kind of classic. (17:38) It’s been going on for hundreds of years, people submitting for expenses (17:42) that may not have been corporate expenses.

(17:45) And then asking, you know, as I said, you know, we listen while we learn. (17:49) And so, asking people, you know, is your organization, at least on your team, (17:55) pretty strict on how expenses are reported and approved? (17:59) And so, you can see, you know, how people are weighing in on that. (18:03) And from these answers, you can start to generate a heat map of which portions of your workforce (18:11) or your business where expense reimbursement guidelines are not well enforced, if that makes sense.

(18:19) Yes. Yes. (18:20) And that goes back to, I think, your point about putting on your investigator hat as well.

(18:26) And this is a fundamental item that the USDOJ is expecting programs to do now, too, (18:32) is to really take and use analytics from training and apply those to your compliance program. (18:40) I like to always tell people, as compliance professionals, (18:43) we really get so few touches with our employee base. (18:48) I mean, a lot of the touches come from either one-on-one interactions or investigations.

(18:54) But really, to really use your compliance training and that venue to get as much from it as you can. (19:02) Right. And, you know, as we were saying, compliance teams are usually pretty small, pretty tight.

(19:08) There’s no way that any compliance practitioner is going to be able to talk to as many people (19:14) as they need to to get a visual throughout the whole organization. (19:19) So I think, you know, table stakes, frankly, for all E&C practitioners is to write out, (19:27) you know, put their investigator hat on and write out the questions that they would want (19:31) to ask employees to flesh out the behaviors that they know are attached to risk (19:38) or will create risk for the organization. (19:40) And just having that and showing the executive team or the board those lists of questions (19:47) and assuring the board that, hey, we’re pulsing on these questions so that we are able (19:54) to flesh out a heat map is really kind of best practice these days.

(20:01) Yes. And one thing that we’re doing in a project that I’m super excited (20:04) about is actually using our results from our training to form the foundation (20:10) of our risk assessment. (20:13) So there are other elements that we use, but the data that we have from the platform is (20:19) so robust that’s given us a really great view of the organization.

(20:26) Awesome. That’s a good segue to this next slide, which this is not out yet. (20:32) So just a little disclaimer, but our product team is working on this right now.

(20:39) We’re so grateful we had about a year to collect feedback from all of our clients, (20:44) all of our stakeholders, and having them tell us exactly, you know, (20:50) how to summarize this information, knowing that everyone’s busy, (20:54) knowing that everyone’s wearing five hats, right? (20:57) And it’s a luxury to be able to drill down into a report or to the data. (21:02) And pretty universally, clients said, can you just summarize it for us and just point us (21:08) in the direction that requires our attention? (21:11) Like for those issues that don’t need our attention, just let us know we’re healthy. (21:16) We don’t need a look.

(21:18) For those issues that, you know, are on the fence, let us know it’s on the fence. (21:21) And then for those issues that, hey, we need to spend some time, let us know that too. (21:27) So we’re excited about this.

(21:29) We’re working on this right now. (21:30) So all of the EMTRAIN clients that have access to analytics, you’ll be experiencing this in Q1 (21:37) of next year, which I hope should be very helpful for folks. (21:40) But again, looping back to the USDOJ guidance, this is what they’re looking for, (21:47) like evidence that compliance teams (21:50) and compliance programs are summarizing the risks and are actively monitoring the risks.

(22:00) Moving on to, oh, then questions. (22:10) This is kind of, this is very, very hard to see. (22:12) But so this is getting into some of the granular questions that Michael referenced.

(22:19) And again, the more questions that compliance teams have, you can integrate it into your training. (22:25) So it’s, you know, one activity that’s giving you a double benefit. (22:29) And giving you data about exactly, you know, where the problems are.

(22:38) Any, so Michael, in your experience on your team, any nice kind of like golden nuggets that you (22:47) and your team were able to see by any of the data or that you may not have kind of, you know, (22:55) thought about otherwise, like that it was a little bit surprising for you? (23:00) Yeah, that’s a great question. (23:01) I think what jumped out to us was really, and our DEI team appreciated this as well, (23:08) was the ability to sort of have 100% coverage. (23:13) I know that sounds.

(23:15) Table stakes. (23:16) Yeah. But it really does make a difference.

(23:20) Because what I found in my career generally in deploying these like kind of surveys is (23:26) that you get kind of mixed, you get kind of mixed participation. (23:30) Right. But being able to have that full view is tremendous.

(23:35) Being able to integrate several different things into one sitting, into one training. (23:41) And to actually do it while the employee doesn’t feel like it’s actually a survey is also very (23:47) valuable. Because I think you get more natural responses.

(23:52) And it’s just seamless. (23:54) So it prevents organizational touches that people don’t want us to necessarily have. (24:00) Like people don’t want training, a survey.

(24:03) They don’t want, you know, they want things to be concise. (24:08) Yeah. I mean, I think what we hear a lot, which is we take it as a win, is a lot of employees don’t (24:16) even realize that they’re giving information to the organizations, to their organization.

(24:22) They just think it’s part of the training experience. (24:25) Because we try to kind of connect it so it’s right after a video scene. (24:29) Right.

So it’s kind of a learning interaction, if you will. (24:33) And so that’s all they’re thinking about it as. (24:35) Which is great because it’s super efficient.

(24:37) It’s natural. But you also get some granular information. (24:42) And what I like in particular is being able to see within your workforce who’s got the strong (24:49) behaviors and strong skills versus who needs some coaching and development.

(24:54) Because we’re saying small teams can’t be everywhere at once. (24:59) You need to have data to be able to prioritize how you’re going to invest your time and how (25:04) you’re going to move the needle within your workforce. (25:06) And so, you know, having this data of like which teams need your help is essential.

(25:12) I couldn’t agree more. And also, it’s great for E&C to be kind of like in the middle of the (25:18) information because information is power. (25:21) So it enables you to work with other teams, whether it be comms, whether it be others.

(25:26) And really, I think, improve the relationship with the data that you have. (25:31) And so lastly, this is showing again, the DOJ is asking for this as well, a heat map. (25:37) So the prior slide that we were just showing showed how different teams within one (25:43) organization were being measured.

(25:47) I mean, their measurements. (25:49) And so the lower measurements are, you know, you can see it here on this heat map are in the (25:55) darker red. (25:57) You know, you’ve got higher performing teams and lower performing teams and, you know, (26:02) different clients, I think, approach this in a variety of ways.

(26:06) Some are pretty candid with their executive leaders. (26:11) Others, you know, try to redact some of this information and just serve it up like, hey, (26:16) we’ve got some work to do and I’m here to help you. (26:19) But Michael, to your point, you know, having the data all of a sudden certainly gets (26:25) leaders’ attention.

(26:27) Certainly. (26:30) We’re just about at time. (26:34) So again, all this information will be available to everyone.

(26:37) I encourage everyone to download that DOJ guidance memo because it just came out last (26:44) month in September. (26:46) And everything that Michael and I were just talking about is listed in that memo from (26:54) the DOJ. (26:54) That’s what they want to see.

(26:56) Michael, thank you so much for joining us. (26:58) Totally appreciate it. (26:59) Really appreciate it.

(27:00) Thank you, Janine. (27:01) All right. (27:01) Bye-bye, everyone.

(27:02) Bye.