Featured image

Assessing program effectiveness through Germany's risk perspective

What you'll learn on this podcast episode

As new risks increase in severity and frequency around the world, E&C programs are focused on their risk mitigation efforts. This is a key theme of LRN’s brand-new 2024 Ethics & Compliance Program Effectiveness Report, which features global data and insights from more than 1,400 E&C professionals. According to our research, values-based programs are not only the most effective, but also correlate strongly with reduced risk and better business outcomes. So how are E&C programs in regions like Germany evolving in response to this increasingly complex risk landscape? And what do these global best practices look like for programs in that region on a day-to-day basis? In this episode of the Principled Podcast, host Frances Ibekwe discusses key findings from the German edition of the 2024 Ethics & Compliance Program Effectiveness Report with Gernot Tölle, the head of legal & compliance at VITA34 AG.

Get a copy of the German edition of LRN's 2024 Ethics & Compliance Program Effectiveness Report.

Where to stream

Be sure to subscribe to the Principled Podcast wherever you get your podcasts.

Listen on Apple Pocasts Listen on Spotify Listen on Audible Listen on Google Podcasts_@2x Listen on TuneIn

Listen on Amazon Music Listen on iHeart Radio Listen on Podyssey Listen on Listen notes Listen on PlayerFM

 

Guest: Gernot Tölle

Gernot Tolle - Principled Podcast - Season 11 Episode 4

Gernot Tölle is an accomplished legal and compliance professional, currently serving as the Head of Legal & Compliance at VITA 34 AG. With extensive experience spanning various industries, he oversees all legal, regulatory, and compliance matters, reporting directly to the CFO. Gernot has held key positions at Fyber N.V., ALSTOM, and Bombardier Transportation, where he demonstrated expertise in contract law, compliance management, and corporate governance. With a proven track record of excellence in legal and compliance management, Gernot Tölle brings a wealth of knowledge and leadership to every role he undertakes

Host: Frances Ibekwe

Frances Ibekwe - Grayscale

Frances Ibekwe is a barrister and Senior Ethics & Compliance Advisor at LRN. She is a subject-matter expert in advising, managing, monitoring, and training on ethics, compliance, risk, and legal matters. Frances helps companies implement effective ethics and compliance programs through our Advisory services such as evaluating programs, reinventing/simplifying code of conducts, and training/communication strategies. Before joining LRN, Frances held roles as a litigator, in government practice for the Serious Fraud Office, and as an in-house compliance lawyer for companies including Cushman & Wakefield, Christie’s, and Tik Tok. Frances received her law degree from King’s College London with an Erasmus year spent at KU Leuven, Belgium, her Master’s degree in international law from University College London, and the Bar Vocational Course from City, University of London. She also has an Award in Management and Leadership from the Chartered Management Institute. Her hobbies include sports, dance, and languages.

Principled Podcast transcription

Intro: Welcome to the Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change-makers.

Frances Ibekwe: As new risks arise in spirit and frequency around the world, ethics and compliance programs are actually focused on their risk mitigation efforts. This is a key theme of LRN's brand new 2024 ethics and compliance program effectiveness report. This report actually features global data and insights from more than 1,400 ethics and compliance professionals.

According to our research, values-based programs are not only the most effective, but they also correlate strongly with reduced risk and better business outcomes. The question is how are E&C programs, how are ethics and compliance programs in regions like Germany evolving in response to this increasingly complex risk landscape? What do these global best practices look like for programs in that region on a daily basis?

Hello and welcome to LRN's Principle Podcast. I'm your host, Frances Ibekwe, senior E&C advisor at LRN. Today, I'm really pleased to say that I'm joined by Gernot Tolle, the head of legal and compliance at VITA 34 Ag in Leipzig, Germany. We're going to be discussing key findings in the German edition of the 2024 ethics and compliance program effectiveness reports and how those key findings apply to programs in that region. Again, and firstly thank you for joining me on the Principal podcast. It's great to have you. Could you start by telling our listeners a little bit about the CAR 34 and also your role within the organization?

Gernot Tolle: Yeah, Frances, thanks for having me in the LRN Principled podcast today. I had joined VITA in May 2023, so last year. I'm responsible to build up the legal and compliance partnership for the Capital Group. VITA is in the business of prior conservation of human stem cells from cord blood, cord tissue, and also from placenta tissue. Plus, we're engaged in treatments and based products made out of stem cell for the pharmaceutical industry and enduring cord blood and cord tissue, cord blood, especially considered a prescription drug. At least in Germany, we're in one of the most heavily regulated industries, which is very interesting from a compliance perspective.

Frances Ibekwe: Does definitely sound very interesting. It's definitely great to speak with you in terms of your background and the role that you're doing. I just wanted to dive straight in terms of looking at one of the themes that we found in the report for this year. We actually found that a foundational concept within ethics and compliance programs is that their ethical behavior is actually primarily driven by values. That notion seems to have gathered substantial momentum over the years. Based on our comprehensive global data set, we actually found that 77% of E&C professionals affirm that their organizations prioritize values over rules, and that's to inspire ethical conduct. That actually marks a significant increase of 27% since LRN initially posed this question back in 2016. I just want to put that into further context because for example, we found that the German E&C programs, they are indeed adopting a values driven approach whereby 82% of organizations' ethical culture has grown stronger as a result of navigating challenges. We look at this focus on values in E&C programs. I just wondered how this trend resonates with your perspective.

Gernot Tolle: That's two of my favorite buzzwords in compliance rules and values. Obviously, most programs start with rules and develop to value-based programs. The speed of doing that depends on the situation that the company is basically in. That's always a question, what part of the journey you are in and all the programs that are developed will try to move further to value-based programs while you cannot do away with the rules. That's also the interesting part. Looking at rules, they are written down and policies and well, not everybody likes policies in companies. That's one of the weak points of compliance departments. We write policies and hand them out and then try to enforce them. It's one thing that you need to have the policies and then how are they left? I had the question a lot of times to myself, "Who is actually reading my policies? Am I the only person that is reading that or is it only the compliance help desk that is responding to those calls?"

Oftentimes, when I was asked a question relating to a policy, I would simply pick up the policy on the phone and do some assisted reading with the person asking me those questions. Then you can usually find that answer. It would be a lot easier if they could come up with the answer by themselves, by having the right values that we are trying to make into that policy as the core. From that perspective, it very much depends on where you are in that journey from rule-based to value-based. The only thing that you probably cannot do or is very difficult is you cannot completely leash out the rule-based parts. Even if you had a completely value-based organization, you would be safe, you would always do the right thing, but you forget that there is a regulator.

Especially if you're stock listed with all the ESG reporting that you have nowadays, auditors will want to see the policy and then they will look into, well, what are the actions, what are the metrics, the KPIs and stuff like that. You can't do it without the policy, you need the policy. From that perspective, it's probably also a trend that I can see that policies become shorter and crisper and to try to fill them in the interpretation by the values and to try to empower the workforce to make certain decisions on their own based on their values. If they still have questions, they come to you and ask you. Obviously, you cannot solve every case, every question in a policy because that would simply become too long a document and well, people stop reading that after a certain point in time.

Frances Ibekwe: Definitely agree with those points. I'm definitely nodding in my head as you spoke. In fact, when you talk about policies and having clearer policies, it's definitely much in the vein of having policy simplification and programs looking at that. In fact, when you talk about not divorcing the rules through the values, another finding that we had for the German E&C report was that the high impact programs, those programs that are doing better than their peers, they saw ethics on the one hand so your values and compliance, on the other hand, your rules as integral and essential to each other and didn't really distinguish between them. That was at a rate of 41%, so that really aligns with your thoughts on that point. I just want to dive a bit deeper, Gernot, in terms of looking at some further insights from the 2024 reports. There were many of them, and based on the German edition, I just wondered which other key findings resonated with you.

Gernot Tolle: I think one of the findings that picked my attention was that E&C programs are scaling their efforts globally. That's also what I'm trying to do at my organization and what's always the most delicate part of the compliance officer is to pick the right balance to adopt the regulations to your organization to find the right level. That depends on, let's say the external factors. In the past, I've been working for organizations that have been under A DOJ obliged monitorship, so things moved extremely fast in that situation. You might build up a program which is very, very robust and you might go overboard, you might have overlaps. Then scaling means you scale it down, you try to reduce it using a risk-based approach to fit it really to the needs.

In the normal case, when you're not under that pressure, you're trying to build that up slowly. When you take a risk-based approach, maybe start with a sample group, you take the IS risk, run it there as a pilot, run it in one of the entities, and then expand it to other areas. You try to use your learnings and also your technology to make things more comprehensible and easier to digest for the organization. Ideally, you would build in compliance. The buzzword here is compliance by design. You try to design rules and processes, regular business processes in a way that people cannot do, but to respect certain rules and they won't even see or feel that this is a compliance policy that is trying to steer them away from trouble.

Frances Ibekwe: That's a great point in terms of this seems to touch upon another finding in our report concerning risk management. That theme in terms of thinking about how to roll things out, how to roll your compliance program out, and risk management was another one of the top priorities for 2024 that we found for German E&C programs. In fact, around about 45% of programs on average had risk management, that was one of the top priorities. I think you had touched upon, yes, this scaling efforts globally, but also trying to strike that balance between the global and the local implementation of the E&C program. Did you have any further thoughts on that, for example, from a risk management perspective?

Gernot Tolle: Yeah, basically compliance risk management is on the basis of any compliance management system. You need to know your organization and identify the risks in order to build up, let's say, the right policy landscape organization and then also the controls around it. That's an integral part of compliance management systems, but it's also an integral part of any business operation. The entities in Germany are required to have risk management systems from a financial perspective. Most of the compliance aspect, also, at the end have a financial impact. If you have an investigation or fraud, this will show in your balance sheet, so it will become part of your financial risk management. The big opportunity here is to have an integrated risk management system that is looking at the different risk areas. Social governance, also, environmental risks that you only do the stock taking ones and not have, let's say the finance organization run their risk management system and then the compliance management organization run their own because that will be perceived inefficient.

It's important for the compliance budget to align very well with the other assurance functions and to make sure you don't double the effort or the colleagues uncertain, identifying the risk measuring and updating because let's face it, this burden on the organization, but it's also worth doing it. This is part of the role of the compliance department to explain why it is worthwhile to do this. Because at the end of the day, this will save the company money and that means you have more opportunities to expand or pay dividends or whatever. It's a healthier company at the end of the day. I see that integration as a great opportunity, again, to let compliance a little bit disappear as a standalone tool, but to integrate it into the regular business operations so it becomes automatically DNA of the operations company.

Frances Ibekwe: On that point, in terms of your thoughts on the 2024 report, were there any other points that you wanted to discuss in terms of any findings that resonated with you, Gernot?

Gernot Tolle: Well, I think there was a mention made of let's say, increasingly complex regulations. I think that's a challenge that all the compliance departments have nowadays. Even if you have a stable program. Then management is often inclined to say, "Well, this is now up and running, so you can scale down, you need less people, you have automized it," but on the other hand, you get more and more regulations even though the national legislature might have the policy to do away with one law if they introduce one new law. Let's face it, if you have a new law, you need somebody that needs to read it, interpret it, apply it to your organization, see if you need to put it into some kind of policy, change a process, make sure how to operationalize it.

It's easy to say, we can show it in our systems and monitor it, but there is, let's say the machine room of the compliance department that is working with a lot of data. Let's not forget, you need to connect all those data points in order to be able to monitor and get feedback to be able to say, "Well, if you are actually handling that situation," so any change will cost manpower, resources, and time. That is often [inaudible 00:14:52] in this changing environment where I would say the requirements are getting higher and higher week by week.

Frances Ibekwe: Yes, definitely. In fact, in terms of you speak about increasingly complex regulations, we found that for the German E&C programs having to navigate obstacles to their proto effectiveness such as those increasingly complex regulations, it was about 60% of programs on average that had to do that. That takes us to a point where we can pause and just think about were there any areas that were flagged for improvements within the reports. We found that while it's been promising that compliance programs have it on their radar, that they need to really respond and deal with issues such as complex regulations that are coming up, there was a noticeable area for improvement in terms of management. There was actually a widening gap between leadership on one hand and middle management on the other hand, concerning how they implement E&C practices. In Germany, this gap stood at about 37% whereby executive or senior leaders on one hand were actually twice as likely as middle managers to apply company values in making difficult decisions.

That was a really large disparity and it wasn't just unique to Germany. It's actually unique across all of our findings, across our reports. It's a gap aligned with our global data. It did surpass the figure for the gap at the UK level, that's about 29% between middle managers and executive leaders on the other hand. Also, for the Nordic region, the gap was about 31% between them, but that gap is still there. I just wanted to connect with you and just understand if you were surprised by that trend and how you would recommend that E&C leaders in Germany address this issue?

Gernot Tolle: I don't know. I have not perceived it in my own experience, but I can only speculate if we're talking about values of the rise, that means that this comes from the C level where the compliance departments basically need to connect in order to get the highest buy-in and to roll this out. It might be that C levels are much closer to the topic because they have been discussing this and setting this up, and it's a matter of the middle management to basically, well copy, let's say the values in practice. They need to observe what their managers are doing. You know, any change takes time and cultural change takes even longer. This is not a matter of months, it's years. If you change something at the top, if implement the values, it's not enough to just put them in your code of conduct and put it on your website.

This is something that you need to practice on a daily basis. That can be done by the compliance departments. We can run trainings, but my philosophy is that compliance is leadership task and that any leader should be able to train others in the organization. They need to be able to explain, let's say, the rules that are applicable to their work environment. If their peers hear it from them that they can translate compliance requirements or situations that are relevant for the team, they will listen more than to the compliance officer that comes around twice a year with the training. I think that the boss has always more street credibility. When I do trainings, I usually try to keep up with one of the business people and tell them what topics I want them to discuss and to see differences. Some people can do this automatically.

They have basically embraced, let's say the values and they have the tools in their repertoire to solve topics and also, to moderate the discussion on those topics. That's where I would like to be at the end of the day because the compliance officer side, the compliance organization cannot be everywhere and train everybody all the time. You need to multipliers and that.I'm happy to see if, let's say the C level feels more comfortable to speak about that and apply values, but I would expect that the number in the middle management will go up as time goes by.

Compliance is the leadership task. It's the tone at the top, the tone from the top, they need to be able to talk about it, and then it'll develop into the tone at the middle throughout the whole organization. What is most harmful, obviously, is you ask people that have the tone at the top, but they do not act like it. That is very closely observed by everybody else. Then all the rules, all the trainings are not really helpful. Then the rest of the organization might not follow because they don't see that this is a lift by example.

Frances Ibekwe: Again, I'm just nodding my head. It really brings a smile to my face when you talk about that leadership, that tone from the top again, because that really does align with our findings. One of the findings we had for the 2024 German report was that E&C programs are generally focusing on having active board of directors. What does that mean? Having a board of directors who actually also receive ongoing periodic E&C training. That really does align with what you are saying in terms of the leaders then receiving that training and then cascading that through the business need and by example. In terms of the findings in this report, it's really encouraging to hear that they align with the industry with the work that you are doing. I just wanted to understand if there are any practical ways, any other ways that your organization intends to tackle some of these trends that we are finding in 2024?

Gernot Tolle: I can only speak about my current role, and as I mentioned in the beginning, this is quite a new role and the task is to build up the legal and compliance department from stretch with this, a nice thing to do because you have almost like a green field activity, but on the other hand, you don't know what to do first. There's a lot of things to do while if you are in an organization that's at a compliance organization for a longer time, you will be more looking at details. From that perspective, I think my situation might be somewhat special, but still, the company I'm in is a German [inaudible 00:21:53], we're stock listed at the Frankfort Stock Exchange in Prime Standard. Basically, we have to apply the same rules internally as all the really large corporations do, and we're like 750 employees worldwide. That's really a challenge to scale this down, to still meet the requirements, but to not overburden the organization with too many policies, restrictions, and there's only so much that the organization can digest at one point in time.

Frances Ibekwe: Yes, definitely. I hear you on that. I think that takes us quite neatly into something else I wanted to discuss with you, which is that look, this year signifies the 10th anniversary of LRN's Ethics and Compliance Program Effectiveness Reports. We've been doing this for 10 years, and throughout this decade long journey, we've highlighted numerous areas where programs can enhance their effectiveness and reinforced core components, thinking risk mitigation, value-centric approaches that we've spoken about, and also, putting into practice E&C across organizational levels and also, incentivizing ethical conduct. Looking ahead, I just wondered, which advancements do you anticipate E&C programs addressing in the upcoming year or even over the next 10 years?

Gernot Tolle: Yeah, looking into my crystal ball, what can I tell you? Technology is obviously one of the big topics with all the artificial intelligence. There will be a lot of changes in support of how the compliance departments operate, the tools that they use, but also there is ethical challenges around the use of that technology. It's developing so quickly that it's hard to keep track of those developments. That will be quite a challenge. I don't know if the technological development will slow down at some point, and then organizations might be very far from each other. There's big companies that have a big focus that work a lot with those technologies, big telecommunication providers. Then you still have, let's say the old school companies that have a traditional business model that are not so technology-driven for them, the divide will become quite big.

That's going to be a challenge and it's going to be interesting. You mentioned ESG, I think that's one of the topics that a lot of the compliance officers have on their desk nowadays, at least in Germany, depending on the size of the company. They either need to report on NFRD this year already or CSRD next year, but this will come and this will be the huge efforts to collect data, interpret data, and then you cannot have a standstill from one year to the next year and report the same numbers again. You will need to demonstrate to the capital markets that you're getting better, that you have a plan to change things and you need to prove that you do. This is going to put pressure on the compliance organization, but also, on the management and what you said earlier, the C level and the boards, they will need to professionalize in that area, gain expertise.

That is also regulated by [inaudible 00:25:26], what their role is and their qualifications are. In Germany, the big impact was from the Wirecard scandal, so the requirements on the personal skills of board members and currently, we have the predominantly the two-tier board system or the C level, and also, for the advisory boards is rising. Plus, they need to also, monitor ESG. They need to be aware of those topics as well. That is quite a development. Global will see quite some upskilling on a lot of levels for a lot of people in order to comply with, let's say, what the rules say and also, what is needed in order to move companies boards. We're looking at the environmental impacts. There is national agendas and global agendas that we want to live up to. It starts, well, at home and in your company. You need to embrace this and not only treat this as a joy that you have to do, but you really don't want to.

Frances Ibekwe: There's definitely tie in with the findings that we had in the report. I'm pleased you've picked those up in your crystal ball. Just even for example, in the point of AI, yes, German E&C programs are beginning to have that on their radar because they are focusing on that as a key area. I think it was about 31% of programs. That aligns with legislation that we have coming in the EU AI Act that sit on the fundamental rights and AI system safety risks. Then you talk about ESG and talk about having to focus on things at the home level, but also, further afield. We see the German Supply Chain Act, which covers human rights and environmental obligations, and also, the EU's new European Sustainability reporting standards and corporate environmental disclosures.

As I said, please, you are focusing on those and looking at those areas or have those on your radar. Gernot, thank you so much for sharing your insights in this report. It's really been great having you on the podcast and speaking with you. I really hope that you'll come back and speak of us again soon. I just wanted to say that for everybody. My name is Frances Ibekwe, and I want to thank you all for tuning into the Principled Podcast by LRN.

Gernot Tolle: Thanks for having me.

Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. If you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen. Don't forget to leave us a review.

Be sure to subscribe to the Principled Podcast wherever you get your podcasts.

Listen on Apple Pocasts Listen on Spotify Listen on Stitcher Listen on Audible Listen on Google Podcasts Listen on TuneIn

Listen on Amazon Music Listen on iHeart Radio Listen on Podyssey Listen on Listen notes Listen on PlayerFM

Ready to upgrade your ethics and compliance program?

We’re excited to give you a personalized demo of the LRN solution. We’ve been a trusted ethics and compliance partner for over 25 years. With over 30 million learners trained each year, we optimize ethics and compliance programs across the globe to help save your team time, increase engagement, and align with regulation.