The intensifying severity and frequency of new risks worldwide have heightened the focus of Ethics and Compliance (E&C) programs on risk mitigation efforts more than ever. LRN's 2024 Ethics & Compliance Program Effectiveness Report presents comprehensive global data and insights from over 1,400 E&C professionals to underscore this trend. Our research emphasizes the effectiveness of values-based programs, which exhibit a strong correlation with reduced risk and improved business outcomes. Given this increasingly complex risk landscape, how are E&C programs in the Asia Pacific region, particularly in Singapore, adapting? Furthermore, what do these global best practices entail for programs in this region in their day-to-day operations?
In this episode of the Principled Podcast, Eric Morehead, LRN's Director of Advisory Services Solutions, discusses the key insights from the Singapore edition of the 2024 Ethics & Compliance Program Effectiveness Report with Jarrod Baker, Partner at Deloitte Southeast Asia, exploring their implications for regional programs.
Get a copy of the Singapore edition of LRN's 2024 Ethics & Compliance Program Effectiveness Report.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.
Jarrod Baker is the South East Asia Leader for Forensic Investigations. Working across the globe, he has been instrumental in helping financial institutions and corporates with investigations into complex fraud, serious misconduct and financial crime. Jarrod is experienced working on high profile matters involving regulators such as the United States Department of Justice, the Securities and Exchange Commission, the UK Financial Conduct Authority, and the Australian Securities and Investments Commission. This includes investigating breaches of anti-corruption legislation such as the FCPA, violations of trade sanctions, market misconduct and financial misstatement. He is well-versed in helping corporates develop, implement and monitor effectiveness of their anti-corruption compliance frameworks.
Eric Morehead is a member of LRN’s Advisory Services team and has over 20 years’ experience working with organizations seeking to address compliance issues and build effective compliance and ethics programs. Eric conducts program assessments and examines specific compliance risks, he drafts compliance policies and codes of conduct, works with organizations to build and improve their compliance processes and tools, and provides live training for Boards of Directors, executives, managers and employees.
Eric ran his own consultancy for six years where he advised clients on compliance program enhancements and assisted in creating effective compliance solutions.
Eric was formally the Head of Advisory Services for NYSE Governance Services, a leading compliance training organization, where he was responsible for all aspects of NYSE Governance Services’ compliance consulting arm.
Prior to joining NYSE, Eric was an Assistant General Counsel of the United States Sentencing Commission in Washington, DC. Eric served as the chair of the policy team that amended the Organizational Sentencing Guidelines in 2010.
Eric also spent nearly a decade as a litigation attorney in Houston, Texas where he focused on white-collar and regulatory cases and represented clients at trial and before various agencies including SEC, OSHA and CFTC.
Intro: Welcome to the Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change-makers.
Eric Morehead: The intensifying severity and frequency of new risks worldwide have heightened the focus of Ethics and Compliance (E&C) programs on risk mitigation efforts more than ever. LRN's 2024 Ethics & Compliance Program Effectiveness Report presents comprehensive global data and insights from over 1,400 E&C professionals to underscore this trend. Our research emphasizes the effectiveness of values-based programs, which exhibit a strong correlation with reduced risk and improved business outcomes. Given this increasingly complex risk landscape, how are E&C programs in the Asia Pacific region, particularly in Singapore, adapting? Furthermore, what do these global best practices entail for programs in this region in their day-to-day operations? Hello and welcome to LRN’s Principled Podcast. I’m your host, Eric Morehead, Director of Advisory Services Solutions at LRN. Today, I’m joined by Jarrod Baker, Partner at Deloitte Southeast Asia. Today, we’re going to discuss key findings from the Singapore edition of the 2024 Ethics & Compliance Program Effectiveness Report and how they apply to programs in that region. Jarrod, thanks for joining me on the Principled Podcast.
Jarrod Baker: Thank you, Eric. It's a pleasure to be here.
Eric Morehead: Can you start by telling our listeners a little bit about Deloitte Southeast Asia and your role within the organization?
Jarrod Baker: Yeah. So Deloitte Southeast Asia is quite a unique proposition amongst the big four accounting firms or consulting firms in that, across the Asian countries we're fully integrated as one partnership or one team in the way that we're able to go to market and service our clients. And then obviously we feed into the wider Asia Pacific member firm of Deloitte. With the forensic team within Deloitte, obviously we're broken down into the different pillars of the forensic accounting, which is the disputes and investigations. We have our financial crime advisory arm, our discovery and computer forensics, which feeds a lot into the investigations and litigation work. And then data analytics, which as I'll talk about today, is a very important part of the work we do.
My role within the forensic team here is as the investigation's leader for Southeast Asia, and obviously a lot of the work is investigation related, but what we do is actually also help our clients proactively mitigate their risks. And a lot of that comes around from the learnings that we get from assisting clients with investigations when things go wrong and the prior enforcement actions and what we see from the regulators and the like. So we're actually able to take those learnings and proactively advise our clients to help them avoid those issues arising in their operations.
Eric Morehead: That reminds me a bit of an old joke in the compliance space, which is if you want to find a really good compliance program, look for an organization that got into trouble about five years ago, and the subsequent investigation and findings from those investigations and reviews oftentimes lead to those improvements. There are a lot of insights in our 2024 report, and I don't want to miss out on getting your thoughts on this. So let's dive right in. And based on the Singapore edition of the report, I'm curious, because you know this area so well, what most resonated with you from the report?
Jarrod Baker: Yeah, Eric, there were three things that I took out of it as key. Obviously it's a great report in totality, but the three that I'll touch on now, one is around the increased focus on global risks. One of the things about Singapore is that it ranks highly on Transparency International's Corruption Perceptions Index, and that's obviously on the domestic side. Singapore prides itself on that ranking and the ranking for 2024 has just come out.
But it's when the local companies from Singapore enter the global marketplace that some concerns have arisen. And certainly we've seen the compliance landscape within Singapore evolve, especially over the last five to 10 years. And this was on the back of a high profile global bribery probe that was in Brazil where a US-based subsidiary of a Singaporean company was implicated and was subject to a deferred prosecution agreement by the US regulators and other international regulators. And when we saw a development from that as well, following on, is that Singapore actually then in April 2017 adopted the ISO 37001 standard on anti-bribery management systems. So there was a real recognition there about, "Okay, we're good internally on the domestic side, but it's when we're going abroad, we need to make sure that our companies are following the accepted norms about the way to do business and the like."
Then the second thing that I've taken out of the publication is that there's insufficient resources or perhaps a lack of maturity in the program. Now, obviously with ethical compliance, I don't think this is unique to Singapore, is this conundrum about does it add to the cost of doing business? And particularly when we're seeing maybe an economic slowdown globally, where should resources be for the company and the like? But I think it's more that companies, and not just for Singapore, but they need to consider the effect of non-compliance on profit. And that's what you were just touching on in the introduction there, Eric, about when a company does go through these, what they're actually seeing happen to them with the cost and the resources being tied up and things, and not to mention also their standing in the public eye.
And I think it's a key thing that companies really need to operationalize their compliance program. It's what I say about going beyond paper compliance. It's all great to have this framework with a great policy and the like, but what are you doing to operationalize it, to bring that to life? And one of the things that really companies do need to focus on is adopting that data-driven compliance program and the use of AI, gen AI and the things, and drive the efficiencies around that, which will help them with that conundrum about that lack of resources and the like.
But also I think there needs to be a shift in the paradigm around ethics and compliance. That shouldn't just be treated as a cost center. You need to think about with the role that ethics and compliance has, the access to data and information that it has, what synergies can you get from that data in particular? There was an example we had with Deloitte globally with an oil and gas client where we were helping them on the compliance side looking at spend and the appropriateness and the like, but what it actually did was identify spend that maybe it wasn't for a nefarious purpose, but it actually helped them identify where they had wastage and the like and they could cut down. So it's actually helping the client really take that ethics, it's been done for the ethics purpose, but it's taken it into this business operations side of things saying, "We've got these learnings here or we've got this program we're running," and the insights it can generate actually helps the company cut costs another way.
And then finally the third one I wanted to talk about was around the board involvement and there's this gap between the board and the frontline and middle management. I think one of the key things is that it's really important to have that risk and audit committee, but not only that, it's the composition of that committee, and I really think it's important to have that person, as someone in that committee that's leading it, with an ethics and compliance background.
Back to that point we raised at the start, Eric, around someone that may have seen what's happened when companies fall afoul of various laws and all that, when the compliance program has failed, that they can really share with the other directors or the other senior management around the thing that prevention is better than the cure, we just see what will happen. I've seen many special committees set up doing investigation work, and you feel for these individuals that are appointed to lead the special committee when the investigation has to take place because they've signed up for something that they weren't expecting and the time and effort it requires to actually help appease the regulator, get their proper investigation done, it's not something you'd wish upon your worst enemy, so to speak.
Eric Morehead: And you lose control. Yeah.
Jarrod Baker: Yes. Yes, absolutely.
Eric Morehead: Yeah. That's the other thing that people forget is you lose control of the situation and now before something bad has happened, you have the options to properly design your program and you may not have those options, they may be taken away from you if you find yourself afoul of the authorities in certain jurisdictions.
Jarrod Baker: Absolutely. But I just want to finish this first question on a positive note that what we do see in the report is a very positive message that Singapore does have a strong culture and a workforce that believes in making ethical decisions. So we have a pathway there to ensure companies can do the right thing.
Eric Morehead: Yeah. That's my big takeaway from the results too, particularly focusing on Singapore is the strong culture is a tremendous foundation for any organization to build on. It's going to take some resources and some effort to operationalize as you suggest, but they have a tremendous advantage in the strong culture that's exhibited in the data that we've been able to see. One of the fundamental underlying principles of ethics and compliance programs is just that, that values really drive and ethical culture really drive ethical behavior. Our tagline at LRN is Values trump Rules. That is borne out over and over again, and we're now seeing data that helps support that. This idea has gained traction over time. That wasn't really the way people looked at things 10 years ago, for example. But according to our global dataset, 77% of ethics and compliance professionals say their organization emphasizes values rather than rules to motivate. That's a 27 point increase from when LRN first asked this question back in 2016. So we're seeing a tremendous movement just in the last six, eight years. What are your thoughts on this, the values driving the equation here?
Jarrod Baker: Something that I speak about when advising clients around this is that the spirit of compliance is the enabler for the letter of the law to be followed. So you get that spirit right and people thinking about the right things and all that, then the letter of the law, it goes without saying that letter of the law should be followed. Now, that's not to say that you don't have bad people or bad actors within an organization. No one's foolproof with that. But then taking it further as to how to get people to understand the spirit of compliance, because I think if you say to people about, if you use bribery as an example, "Don't pay a bribe. There's bad implications of that and the like," they get it, but I think you need to take it further around training and awareness and make people aware of why certain laws exist.
And things that I've done in the past is helping clients with training around providing examples of those in society that suffer because of corrupt conduct. And then that's why the company has policy X, Y, Z to stop this happening. This was something really that came to the fore when the Bribery Act came out 11, 12 years ago around banning facilitation payments and helping clients navigate the challenges around that, that the employee that's stuck somewhere in another country that just thinks, "Okay, it's okay to reach into my wallet and give this government official what he wants." And not withstanding there could be safety concerns and the like, but what is the implication if everyone is just doing that, if they're just putting the money out there that way? So really finding that there is an education process that has to take place to give examples to people where things may not seem so straightforward.
But building upon what you were saying as well, that culture does trump process and I think as we're saying with Singapore, that there is an expectation that people will act in the right way, but then it comes back to this operationalization that I was talking about, having that resourcing there, the resourcing that can check things, can help make sure that the risks are considered, the most up-to-date things are happening with the policy, the framework, the training, the awareness, and as we were saying before about the board, the composition of the board, people on the board that can help ensure that the checks and balances are there and just really driving forward that top to bottom of compliance within the organization.
Eric Morehead: Uh-huh. Yeah. No, explaining the why is really powerful. And I think that traditionally, particularly those of us with investigations or legal background, we're really focused on the elements and trying to get to the heart of the matter really quickly and we don't necessarily take time to explain the why to everybody involved. And that makes a big difference to adoption if people understand that there's a purpose to it.
Now, we have spent a few minutes now building up our friends in Singapore and talking about how wonderful the culture is and how well it performs in our reporting versus other jurisdictions, but not every insight in the Singapore report is necessarily a completely positive one. There are some areas where organizations in Singapore self-report that they understand that there could be some improvement. One gap in particular that was noticeable was between middle management and senior leadership. There was a 56 point difference between leaders and managers when you ask the question, "Do you regularly lean on those values to make tough decisions for the business?" That's the highest gap we've seen on this particular data point. So I'm curious, since you have experience peering into organizations in Singapore, were you surprised by that gap between senior leadership and middle management? And what are some ways that you might recommend leaders in Singapore address this?
Jarrod Baker: Yeah, Eric, in some ways not. I spoke earlier about the journey that Singapore has been on with compliance the last five to 10 years, and a lot of that was driven by the companies going into international marketplace and then finding that you've got to abide by the certain rules and regulations that are there because the US NEXUS and the like. Building upon this embracing a spirit of compliance, letting the letter of the law be followed in that, I think it's just coming back to letting the board members know within Singapore the awareness of their obligations, and then really building upon those examples of non-compliance and not just about what's happening to Singapore companies, but other examples around the world and the associated issues that are caused.
Back to what we were saying at the very start around the investigation taking place, when that protracted investigation happens, what's the effect on the company with that? And I think some questions that the board should consider or help guide them to consider around is having those right policies in place, considering that, are they reassessing the risks? Are there key risks that there isn't a policy or a control in place to help mitigate? Are they looking at the policies and updating them to address recent developments? There might be changes in the company, there might be an acquisition that's happened or a divestment that's happened. Is there a change in law or regulation? Obviously we've seen in recent years, sanctions come more and more to the fore. So how are companies considering that in the way they do business?
And then coming back to do we have the right management resources to monitor and enforce or operationalize those policies? And thinking about the technology to monitor and enforce those policies. So I think it really comes down to this awareness that can be given to the board around, I think it really has to be around what's the effect of non-compliance? And it's not just about the investigation or the cost of doing the investigation or there could be a regulatory penalty that's applied, but it's also around what society's expectations might be. This scandal hits the front page of the paper, do people want to do business, do they want to buy the product from you because they see that?
Eric Morehead: Yeah, lost business opportunity. It's a big one that's overlooked in that calculus. When we look at these findings and the state of the industry right now, what is your organization planning to do to address some of these risk trends that we are seeing here developing over the last year and into 2024?
Jarrod Baker: Yeah. It comes down to the data, digitization, and I think it's the efficiencies to help address the resource constraints that our clients face, as we were talking about with the findings in the survey. We've invested in certain digital solutions at Deloitte. We have a digitized whistleblowing system, and particularly in Singapore, we've seen that there's a lot more emphasis on whistleblowing. For instance, SGX has a requirement for companies to put in place a policy or framework. So we have this digitized whistleblowing system, which helps to be a plug and play to help a company take care of that, have that independent system there and the dashboards and the like. We've also invested in a risk assessment tool, Risk Beacon, which makes it more effective and efficient to conduct risk assessments. It can allow for comparisons against prior years, seeing how risks evolve or change, different countries, different industries or different parts of your operation. So just gives you that insights rather than relying on a spreadsheet to try and do that risk assessment, really helping summarize and getting the relevant information that management needs to see to help make informed decisions.
And then importantly, coming down to the analytics and the AI, we have a program called guard.ai, which is what I was touching on before about the oil and gas example, where it predicts where fraud and misconduct could be happening. And we know from what the US regulators have said about they want these data insights, this data driven compliance program. And I think that's a standard that no matter where a company is operating in the world, they need to be aspiring to. And then I think also, look at with you at LRN, how you're doing that training. I touched on the awareness and how you get that message across, but Eric, for you, LRN plays an important part with what it does.
Eric Morehead: Yeah. No, data is really key. And even something as perceived as a mundane piece of a program, like a code of conduct, we have an offering we call Smart Code, which is an online version of the code that gathers data about use. So gathering that data on the effectiveness of your program from every conceivable aspect of it. So don't forget about your code and your written policies. How are they being used? What are people looking at? Where are the people that are looking at it, are they coming from? What aren't they looking at? There's lots of actionable data points you can get even from something as again, mundane as your code of conduct and your written standards. The gathering data is not going to be a nice to have in the future, it's going to be a must have.
Jarrod Baker: Exactly.
Eric Morehead: When you look over the findings that we have on the report from Singapore, are there issues that you don't see picked up in this report that are coming across in your experience?
Jarrod Baker: I think this is going to be me as the forensic accountant and investigator speaking. It's the response. It's around having that thorough investigation, an investigation that has to be objective, but when you do that investigation and you find out what's happened, you've got to the bottom of it all, taking those lessons learned and how you mitigate for the future. I think one of the key things is to the extent that you can disclose within the organization, sending that message around how people have tripped up. Sometimes I think with frauds, as we said, I think they're the smartest people in the room, but then it gets unraveled. So let people know that when things do come to this bubble to the surface, the company isn't just going to brush it away, it's actually doing something about it. But also take that positive aspect from it as well, that it's helping you become stronger as an organization when I say that lessons learned, that mitigate for the future.
So there's different types of compliance violations or misconduct that can occur. Some are small, some might be unfortunately large, but it's just making sure that it is considered, it is followed up. I think we don't want to forget about the whistleblower or the person that might raise the issue as well. People brave to speak up, they need to know that something has been done, that they've bothered to share this with you, that it wasn't all in vain, so to speak. So that's what I would say is a key thing.
Eric Morehead: Yeah. No, I agree. It's not worth the time and the effort and the resources to go through any kind of lift on your compliance program or any part of your program really, and then not have the follow through once you uncover or learn something. I think that's the one good thing we can say of many bright spots in the report for Singapore is that leadership in the organizations in Singapore are clearly willing to make those tough choices, at least at a higher percentage than a lot of peers around the world, which is good. Well, we could talk about this all day long or all night long as the case may be since we're on opposite sides of the world, but we're unfortunately out of time for today's podcast. Jarrod, thank you so much for joining me on this episode.
Jarrod Baker: My pleasure, Eric.
Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. If you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen. Don't forget to leave us a review.
Be sure to subscribe to the Principled Podcast wherever you get your podcasts.