Articles | Ethics & Compliance | LRN

The foundational importance of risk: E&C program effectiveness in 2024

Written by Principled Podcast | Feb 16, 2024 9:00:00 PM

What you'll learn on this podcast episode

As geopolitical events, new technology, and regulatory developments increase the severity and frequency of risks, E&C programs are focused on their risk mitigation efforts. At LRN, a central lesson from over 10 years of primary research is that values-based programs are not only the most effective, but also correlate strongly with reduced risk and better business outcomes. But how exactly are E&C programs evolving in response to this increasingly complex risk landscape? And what do global best practices look like going into 2024? In this episode of the Principled Podcast, host Amy Hanan discusses key findings from the 2024 global edition of LRN’s annual Ethics & Compliance Program Effectiveness Report with Juliana Rodrigues, the global chief compliance officer at Coty.

Get a copy of the global edition of LRN’s 2024 Ethics & Compliance Program Effectiveness Report

Where to stream

Be sure to subscribe to the Principled Podcast wherever you get your podcasts.

 

Guest: Juliana Rodrigues

Juliana Rodrigues is the global chief compliance officer at the beauty and personal care product manufacturing organization Coty. In this role, she deploys, controls, and defines strategies for the company’s global ethics and compliance program—including a global data privacy program—across the Americas, APAC, and EMEA regions. Juliana has over a decade of experience working in multinational companies with an emphasis on leadership of regional E&C areas, reporting to C-suite executives, and providing strategic support and advice on compliance matters. Prior to joining Coty, Juliana spent seven years at Louis Dreyfus Company as a compliance officer, responsible for the trade compliance and regulatory compliance issues for the company in Latin America. She holds a Master of Laws from the University of California, Davis School of Law and a MBA from Brazil’s Fundação Getulio Vargas (FGV).  

Host: Amy Hanan

Amy Hanan is the chief marketing officer at LRN. A B2B digital marketing leader, Amy has a nearly 20-year track record in product, brand, lifecycle, and demand-generation marketing as well as corporate communications for media, professional services, and technology companies. One of her central areas of expertise is executing tech-enabled marketing initiatives for growth. Before joining LRN, Amy was the chief digital officer at Baretz+Brunelle, a marketing and communications agency serving the legal and financial services industries. Her previous experience includes Reorg Research, ALM Media and The Associated Press. She holds a Bachelor of Arts degree from Northern Arizona University. 

Principled Podcast transcription

Intro: Welcome to the Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change-makers.

Amy Hanan: As geopolitical events, new technology and regulatory developments increase the severity and frequency of risks, E&C programs are focused on the risk mitigation efforts. At LRN, a central lesson from over 10 years of primary research is that values-based programs are not only the most effective, but also correlate strongly with reduced risk and better business outcomes. This is validated in our brand new 2024 Ethics & Compliance Programme Effectiveness Report, which features global data and insights from more than 1,400 E&C professionals. This report also marks 10 years of LRN benchmarking crucial data on program evolution for E&C professionals worldwide. But how exactly are E&C programs evolving in response to this increasingly complex risk landscape? And what do global breast practices look like going into 2024? 

Hello and welcome to season 11 premiere of LRN's Principled Podcast. I'm your host, Amy Hanan, chief marketing Officer at LRN. Today I'm joined by Juliana Rodrigues, the Global Chief Compliance Officer at Coty. We're going to be talking about key findings from the global edition of the 2024 Ethics & Compliance Programme Effectiveness Report. Juliana is a real expert in the space with over a decade of experience leading both global and regional ethics and compliance teams. Juliana, thanks for joining me on the Principled Podcast. 

Juliana Rodrigues: Thank you, Amy. I'm honored by the invitation. I think that this is an amazing opportunity for us to discuss the new trends, where we are going, where we stand, and I think that it'll be a very interesting conversation today. 

Amy Hanan: I agree. Let's dive right in. How about you start by telling our listeners a little bit about Coty, your role within the company, and how maybe that's changed since your time with Coty? 

Juliana Rodrigues: So Coty is a global beauty powerhouse. We have been in the market for many, many years. And here internally, we are a leader in skincare, in fragrance, color cosmetics, and we have iconic brands like Gucci, Tiffany, CoverGirl, Burberry, Sally Hansen, Kylie Cosmetics, SKKN BY KIM, Orveda, Lancaster, and the list goes on. So I'm pretty sure that every single one of the listeners either has or had at some point in time a Coty product at home. I love working for Coty. I think it's a beauty company with a beautiful set of values. We are a very strong community. We believe in ethics and compliance, for real, at the company, and that's why I am here. 

So currently I'm the Chief Compliance Officer for Coty. I'm located in New York City, but I started five years ago back in Brazil, taking care of the regional compliance program for Latin America. That role evolved into an America's role, and I ended up where I am today. So as you can see, not only is a company that creates beauty for the outside world, they also cultivate people internally and make us grow. And that's why I'm very proud to be part of the company. Of course, I want to make it very clear that everything that I say today, it's my own opinion. It's not the company opinion, but of course, it reflects all of my personal and professional experience throughout the years. So in a nutshell, that's me, and that's Coty. 

Amy Hanan: And that experience I think is going to serve us so well as we get into some of the report key findings. So let's just get right to it. 

A key theme from this report is that effective ethics and compliance programs, wherever they're located in the world, strongly focus on risk mitigation. And in fact, global programs ranked risk mitigation and risk analysis as their top priorities for improvement in usefulness for evaluating program impact. What about this resonates with you and what's your experience been like? 

Juliana Rodrigues: I think that it couldn't be more the translation of reality. There is no one size fits all. A few years ago, when I started my compliance journey back in Brazil, not even at my current company, at my previous company, we were all talking about we all have to have compliance programs. And law firms and consultancy firms, they were selling these programs that were pre-made and here is a set of policies, this is how you start compliance in your company. At that time, it was what everybody needed, but it's not what we need now. And I'm super happy to see that this evolved. So one size fits all doesn't work anymore. You have to have a program that is general, it doesn't matter where you are in the world, the program is the same for everyone, but then based it on the data that you recover, based it on the cases that you receive, you tailor-made every single little piece of the program to make sure that you are providing the right training, the right awareness, the right communications to each and every country and region. 

And why do I say that? Because especially when you are working for a global company, behaviors are different. And I can tell you that because again, I'm a Brazilian living in New York. I know the difference. I live the difference every single day. So the way I started doing compliance in Brazil is different from the way compliance issues are arising from the US, for example, which is also very different from the way I see compliance issues in China or in the UAE or even in Europe. So you have to take that into consideration, and it's not like a nice to have. It's a must have. If you don't do a proper risk assessment, you are going to set up your program to failure. It makes me very happy to see that this is not just me, this is everyone. So I think that this is the total reflection of reality. 

Amy Hanan: Just as a follow-up to that, because you mentioned several different locations there, Brazil to China, to the United Arab Emirates, do you have any tips or best practice that you've seen for risk assessment for global programs, either as you've started to implement them at Coty or elsewhere? 

Juliana Rodrigues: First of all, you have to have someone on the ground. Okay? You have to know your business from the inside out. Because on paper, everything is beautiful. On paper, a policy that says 'Don't do A,' it's fine because paper accepts everything that we write. But when you go, let's say that you have a plant in Argentina, okay? You have to understand how society works in Argentina, how employees behave in Argentina. And what is the risky area in Argentina, not necessarily is a risky area in France. And once you have this view from the inside out, you have the base to start building up a risk assessment. Then you have to understand the type of business that you're doing in that location specifically. 

Because, big example, do you think that I should be focusing on, I don't know, sanctions for a plant in Latin America that is not exporting anything to any sanctioned country or doesn't have any kind of connection with the US or anything like that? Yes, that could be interesting, but is that my main risk? Probably not. But I need to have a very good analysis on potentially gray market, deviation of products, products being stolen because of, I don't know the location of that specific plant. 

So this is how you actually do risk assessments that are not just generic and they are reflecting the local conditions. And also, of course, on top of everything, you have to take into consideration the historical cases that you had logged in your compliance system or any system that you are using to control cases coming from that location, because the cases are going to tell you a story and you have to pay attention to that story, and you have to take the facts from the cases and think about risk mitigants for the future. 

Amy Hanan: I'd like to go back to something you mentioned when you were introducing yourself to our listeners. You talked about how Coty is offering beauty products to the world, but also bringing in some of that beauty into the culture. And one of the fundamental principles of ENC programs is that values are the principle motivator of ethical behavior. I think you were touching on this when you were talking about the beautiful culture developing at Coty. This idea has only gained traction over time. And in fact, 77% of ENC professionals from our most recent report say that their organization emphasizes values rather than rules to motivate ethical behavior. And that is a 27% point increase from when we first started asking this type of question back in 2016. What are your thoughts on this? Values versus rules and the development culture. 

Juliana Rodrigues: We have to have rules. That's the basic principle. Yes, compliance, everybody say, 'Oh, compliance is so boring. I hate compliance.' Yes, because probably you hate the old school compliance, which is like, this is the rule, you follow the rule, this is the box. If you step one centimeter outside of the box, that's it. You are going to be either terminated or you're going to have a sanction or something like that. That's the boring compliance, but that's not the compliance that we are living nowadays. Nowadays, yes, we do have the rules, but also, we are changing behavior. That's why I said, for example, that at Coty we are cultivating beauty inside and out. Our program here, it's called Behave Beautifully, because that's what we expect from people. We expect you to know the policy but also understand why you have to follow the policy. And that goes through our values. 

Our values are be fearless, be kind, follow the rules, but be fearless. So it means that you have to understand that these are the limits, but you have to respect people and you have to understand why those rules are here and how we create that. That's the result of years of work, not just my work, but everyone's work. So, when you see that you have a 27% increase on people saying 'Yes, values are more important than rules,' it means that finally the population is hearing the compliance professionals, because that's what we say every single day. 'Yes, here is the code of conduct. Those are the principles.' And those principles, those values, they have to be part of your daily routine to a point that we don't even have to be talking about compliance every single day because it's already part of the culture of the company. 

I love a phrase like, a car has brakes. It's not to make it go slower, it's just to make it go faster, but in a more effective way. So that's why a car has brakes. So okay, compliance might be seen as the brakes, but we are not here to stop business. We are here to make people understand that those principles, ethical principles, they have to be part of every single negotiation, every single conversation. And you have to keep that in mind, because if you don't have that in mind, you are putting everything at risk, not only your small part of the business, but the entire thing. And I think that we have been preaching that for years. And the numbers that we are seeing at the report, they're just the result of that, because people are understanding. And why they're understanding, because unfortunately, probably they saw cases, they saw instances where a borderline behavior created risk or sacrificed business, and now this is becoming part of the routine of everyone. So it's not only [inaudible 00:13:28] from the top, it's finally the walk, the talk. 

Amy Hanan: Let's go a little bit deeper on that walking the talk part, because not every insight from the report is a positive one. There are areas that need improvement for programs globally as well. And addressing this point in particular, the gap between leadership and middle management when it comes to operationalizing ENC continues to grow. There's a 37% point difference between leaders and managers who lean on company values to make tough decisions. And this is the highest gap since we've started collecting this data. Did this surprise you? I know in the prep for our conversation today, you circled this a few times in the notes. So did this surprise you? And how would you recommend other leaders start to address this issue? 

Juliana Rodrigues: It does not surprise me at all, because it is what we see. It's what I see, it's what my peers see. And I'm not talking about my field, I'm talking about every single company out there. When you sit it with a group of compliance officers, I can tell you that at some point we are all going to talk about tone at the middle. And why? Because as I was just telling you, it's all about persistence, it's all about repeating, it's all about training people. And for the past few years, we all have invested a lot of time and resources on the leadership because we needed that. Without the support from the leaders, it's practically impossible for you to have a really effective program. Because if the leaders don't talk about compliance, no one else will stop their day to listen about compliance. I think compliance is the most interest subject there is. 

Okay. Compliance for me is fun, it's interesting. I can spend hours talking about compliance, but I know that I don't have so many people together with me. And we needed the leaders to help us spread the message. But now we are at the second stage. We need now to start talking more to the daily routine people, to the people on the ground, to the operational leaders, to the middle manager, because those guys are the ones that are right now trying to do whatever it takes to deliver results. And we are not here to stop them, but we need to create the same awareness that we created at the top, at the middle. How do I suggest we start doing that? Again, go to places, send your teams to do training, use creative solutions. I know that it's almost impossible to train 10,000 people at once, but you can have solutions. 

You can have online trainings, compliance pills, compliance knowledge pills that are distributed by email, posted on workplace, you name it. And there are solutions that are not even that costly. Sometimes, if you go and spend a week visiting plants, visiting offices, visiting stores with the middleman, you are going to start planting the seed of compliance on their minds and you are going to show them real life examples. Every time I do training, every time my team conduct training using real life examples, and I'm not talking about bringing cases and exposing people, our people, I'm not talking about that. I'm talking about here is what can happen to you and to your family if you are caught up in, I don't know, a fraud or a bribery or a kickback scheme in the US, this is what could happen. Do you want this to happen with you? 

Because we need to bring the reality of noncompliance to people to make them be a little bit more open, to understand, and to be trained, and to learn. And we have to insist. It's not one time you. Have to go hundreds of times, and you have to repeat yourself hundreds of times. But I can guarantee that in a few months, you will see a few results. And I think that, I might be wrong, Amy, but I think that maybe in the 15th anniversary of the report, we will see that those numbers are way much better. And then we are going to be talking about, okay, but how do I make sure that even the lowest level employee at the very low entry level, how do we guarantee that that person is selected in accordance with our values, with our principles, with our policies? So I think that this is the evolution. It's a lot of work for us, but I'm excited to be focusing now more on the middle management, because I already know that I have full support from the leadership. 

Amy Hanan: And you were getting to this a little bit in what you were just saying. I think it's how do you know these things are working? How do you know these elements that you're introducing and these new initiatives and programs are effective? And also ahead of our discussion, you had mentioned that a key insight from the report was really about the use of data for ongoing program evaluation, and specifically high performing ENC programs are more than twice as likely to use data from a variety of sources to guide program focus and development overall. 

So what about this particular finding stood out to you, and how do you think about gathering data, using data to really figure out what is working in our program? 

Juliana Rodrigues: If we don't have data, you can have the most perfect, beautiful, pristine program there is. If you are not gathering data, you are dead. Your program is not effective, and you are doing nothing. And when I say data, I'm not talking about crazy AI tools that are... It's everything you said. It's data from every single source possible. How do I know if a policy is working? Let's use as an example a travel and entertainment policy. Let's say that we have a limit of, I don't know, $100 for entertainment to be provided for clients. How do I know that my policy is really working? Number one, I have to provide training. So I need all the data from the population that was trained, when, how, attendance sheets, if I had quizzes, the results of the quizzes, because then I know that I have at least provided opportunity of training for 100% of the population that will use that specific policy. So step number one. 

Step number two, to see the data, I need to go to SAP, and I need to understand for the past, I don't know, after the training was conducted, six months after I monitor or I do a check and see how the levels of entertainment were. Are people following the rule or are people not following the rule? And if they are not following the rule, is there a business justification for that? If there is, okay, what was the business justification? Does it make sense from a compliance standpoint or it's just, 'Oh, I overspend and then my manager goes and approves it.' Let's say that I have this situation where I have 90% of the people going above $100, and the justification is, 'It is what it is. New York is expensive. I'm sorry.' So not only I need to repeat the training to the target public, but I also need to retrain and have a very serious conversation and follow up with the managers. 

Because as managers, they should be controlling that. And if the $100 is not sufficient for New York, they should have brought it to their managers to say, we need to change the policy. Because the way it is, we are forcing people to creative solutions to be in compliance with a policy that does not make sense. Again, data. Let's say that I did it all and now we are at $200, and then I monitor again, and then I see that, oh, I don't have so many outliers. And when I go to the justifications on why they exceeded, they make sense. It's like, oh, it was not just one person, it was three people. It was an event in connection with a meeting that was A, B, C, D and E, and we had to have dinner at that specific place. So that's why we went over budget, but okay, it was approved by the manager. 

When I see that, it means that it's working. And this is a very simple example of data that is already available. You don't need any kind of system that is different from SAP or Oracle or whatever normal system that all of the companies that we work for are using it on a daily basis. But then you say, okay, but what else? Our compliance systems I have today, if you ask me, I can tell you how many days my team is taking to investigate cases. I can tell you how many days cases that are considered right, high, medium or low risk, how many days we take to invest to open and close the case. And I have justifications on why it's taking too much or too little. This is data that I extract on a daily basis. I know where cases, like in the US I can tell you which one are the issues that are being more brought to our attention. The same for Brazil, the same for Argentina, the same for every single place in the world we are, because we invested and we have a system that help us control that. 

So again, data,.if you don't have data, you don't have anything. The same system, I can use a different system to assign trainings and have an electronic list to say, oh, yes, Amy, yes, she was trained on the code of conduct on social media. She was trained on hundreds of different policies. And then I have a case from Amy that she posted something that she should not be posting online, and it's a breach of our confidentiality obligation of the company. And the first thing she will say to me is, 'Oh, I was not aware about the social media policy.' And then I will be back and say, 'Oh, yes, you were, because on day X, you completed the training and you read the policy and you acknowledged the policy.' So I can even make my sanctions better, more fair. The same for investigations. It's more and more common. 

A few years ago, no one had it, but nowadays, everyone has a forensics tool inside the company. I have a forensics tool. So if I want to see and check, if you leaked an information through your corporate email to your personal email, I have the tools to do that. Again, data. And that's why I say, if you are not seeing what's happening around us, and if you are not getting that data it's the new trend, you are going to kill your program in, I don't know, months or years. Because without that, I don't see a way for any serious compliance professional to really start talking about, even talk about risk assessment because all these things that I just mentioned, they are also part of a risk assessment in the future. So, oh, I had XYZ problems on, I don't know, Venezuela because of breaches of our social media policy. How do I know that? It's a combination of a lot of data. So that's why I think that you had such a big smile on my face when you were talking about data. 

Amy Hanan: And you just gave so many really useful, practical, on-the-ground type of examples of how you use data in the day-to-day management of your program, and how you think about deploying resources or what kind of actions may need to be taken. Can we look at the flip side of the data then? And in your view, what's important for showing program effectiveness or the impact of your program on the business when you're reporting up into the CEO or your board of directors? How do you tell that story? 

Juliana Rodrigues: Exactly the same with data, with a lot of data, because they are not interested in the details of every single case we have, but they want to know where the most serious cases are coming from, specifically why we think they are serious and what we have done to make sure that number one, the case was solved, closed in a satisfactory way, and more important, what are we doing to mitigate, to ensure that this is not going to happen in the future. So you have again, to combine everything. So combine the fact that you are actually going to places, talking to people, making sure you know the business, combine it with all the data you extract, and show them, okay, this is the picture. This is quarter one fiscal year '24. This is the picture of our compliance program today. This is what we are working on. 

And this is based on what we saw, those are the plans for next quarter. This is how I try to do it. And so far, it has been successful because, of course, they always have questions and they always have suggestions because they are there; it's not out of the blue. They know better. They are experienced leaders. They have similar problems in other companies, in other instances, so they also bring a lot to us. But to allow us to have a very in-depth conversation, we need to make sure that we are issuing reports that make sense, that are easy to read, that they don't have to know the nitty-gritty of the compliance program to understand that we are being effective. Because let's say for example that I present to the board, that I say to the board that I'm taking 125 days to close cases in average, that's a problem. 

If I go there and tell them I'm taking 125 days to close cases, I better have a very good justification for that. It's because blah, blah, blah, blah, blah, blah. Because they're complex. Because this, because of that. I have to have justifications, because otherwise the numbers per se, they don't mean anything. But when you show them, oh, it takes me in average 25 days to close a case, yes, I have cases that are open for 125 days, but those cases, I treat it on a separate note, but the general terms in one or two slides, you have to be able to tell them, this is the picture and this is why you don't have to be worried because we are doing our job here correctly. And that's the beauty of data. 

Amy Hanan: As I mentioned towards the beginning of our conversation, this year, 2024, marks the 10th annual publication of LRN Ethics & Compliance Programme Effectiveness Report. And today, we've covered a lot of topics in a short period of time. And really, where programs can improve their effectiveness and strengthen core components, risk mitigation efforts, focusing on values, operationalizing ENC at all levels across all regions. And you were just speaking quite a bit about your passion for enhancing data and metrics. But looking towards the future, what sorts of developments do you hope to see ENC programs tackle over the next year or even the next 10 years? 

Juliana Rodrigues: I think that I will sound repetitive, but I think that data is the new trend. And more than data, I think that we are now starting to talk a lot about the use of AI and how it can be beneficial to us. Because we have to be honest, we are not, even for global companies, we don't have huge teams anymore. We are lean organizations and we need to be more effective with the resources we have. So we need to rely on intelligence. We need to rely on tools that make our life easier, but at the same time, are not putting the program at risk. I'm a fan of artificial intelligence. I think I'm a baby learner still. I think that there is a lot out there. We have to be cautious with all this new initiatives that are coming up. But I do see the increase of AI tools, the increase of data analytics into our work to make sure that we are dedicating time. 

Because we cannot forget one thing that is very fundamental for every compliance professional and for every compliance program. No matter what happens, we need to keep having the human connection with people. Compliance is about trust. Compliance is about rules, yes, but it's also about trust. You have to have a connection with the people. You have to have a connection with the employees. They have to trust you. They have to trust the function. And I always think that people trust people. People don't trust machines. They trust machines, but they also have to know that there is a person behind everything. So for the next year, we are going to rely a lot on AI, data analytics, but we also need to counterbalance that with the human presence. And I think that will be the biggest challenge for the next few years. Because otherwise, if I tell you, oh, it's going to be all about data, AI and everything, okay, we are going to disappear. No, we cannot disappear because that's the beauty of compliance. That's the human element of it. 

Amy Hanan: And I think that is a perfect way to wrap up our conversation today. Juliana, I'd like to thank you for being my trusted human today. This is clearly a conversation we could keep going as we have only started to scratch the surface on so many of the key findings of our report that we're releasing this year, but we're out of time. 

So thank you again so much for joining me on this episode of the podcast. My name is Amy Hanan, and I also want to thank all of our listeners today for joining us on this episode of the Principal Podcast by LRN. 

Juliana Rodrigues: Well, thank you so much for having me. It was a pleasure. And I agree with you, we could go on for hours and hours, and I hope that at least I shared a little bit of my insights. And yeah, let's see what comes next, right? 

Amy Hanan: We sure will. Thank you again. 

Juliana Rodrigues: Thank you. 

Outro: We hope you enjoyed this episode. The Principled podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance and global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. And if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen. And don't forget to leave us a review.

Be sure to subscribe to the Principled Podcast wherever you get your podcasts.