1) Spring 2015 CARPE DM Compliance and Risk Professionals Education @ Duane Compliance and Risk Professionals Education @ Duane Morris LLP Morris The Art and Science of Compliance How do you build a successful compliance team? From hard data and metrics to people skills and creative innovation, chief compliance officers explain why compliance is both an art and a science. Insights from Duane Morris’ Inaugural Compliance Event Aramark Comcast Endo International plc 

2) CARPE DM table of contents Compliance and Risk Professionals Education @ Duane Morris Compliance and Risk Professionals Education @ Duane Morris LLP 02 04 Independence Matters 06 Reining in Scope Creep 08 The Business Case for Compliance 10 The Right Team for the Job 12 Speaker Profiles 13 1 Introduction About Duane Morris 

3) Compliance professionals collect and analyze metrics and hard data, but they also draw from a variety of brush sizes and hues when painting a picture of that data for their organizations. introduction Shortly after Katherine Kelton, an alum of Duane Morris, landed the role of Chief Compliance Officer at Aramark, she logged into the Duane Morris Alumni page on LinkedIn to seek out benchmarking from peers. Her query led to the creation of the Carpe DM: Compliance and Risk Professionals Education program. The inaugural event, held in October in Philadelphia, brought together executives and on-the-ground professionals in the compliance space across industries to learn and to network. A general panel on trends was followed by three different breakout sessions—all geared toward tackling pain points and offering survival tips. Speakers from Comcast, Endo International plc and Corporate Executive Board (CEB) joined Kelton on the dais. Said one attendee: “Usually compliance events are segmented by industry. This event was great because I could learn from folks in different industries and realize that when it comes to a lot of compliance issues, I’m not alone.” The compliance function is neither an art nor a science, but its practitioners benefit from the concepts behind both. Compliance professionals collect and analyze metrics and hard data, but they also draw from a variety of brush sizes and hues when painting a picture of that data for their organizations. The palette of skills and personalities has grown: Compliance staff now more than ever include those skilled in project management, in addition to auditing and law. And with communication and relationship-building key skills for success, today’s compliance officer should strive to develop a colorful and diverse toolbox. What follows is a closer look at the conversation. 2 

4) Independence Matters Moderator Bill Hughes of CEB began by citing varies based on industry and where you are in “It really depends on senior management and “If it’s working,” agreed Smollen, “don’t mess CEB’s latest 2014 data on independence. “Fifty- program development. The OIG and DOJ believe culture at the company,” said Jennifer Heller, with it.” eight percent of compliance programs are still the compliance function should be independent. Comcast’s Vice President, Chief Compliance located in the legal department and 22 percent You see more independence in pharma than Officer and Senior Deputy General Counsel. “Is Added Katherine Kelton at Aramark: “At a small are independent,” he said. “So here are my other industries. I don’t think it can’t emerge there real buy-in for the compliance function? company, you might not have a choice. At a two questions for you-all: (1) What does it out of a legal function, but there are benefits to Ours sits within the law department. I report to company of our size, you can afford to have mean to be an ‘independent function’ and (2) independence. You have your own seat at the the GC and he is the biggest asset and advocate two functions. To Jen’s point, if you have the should compliance teams be pushing to move table with your board. In addition, when you’re for our program. I think objectivity, rather than advocacy of the GC, that’s fine. Not every in that direction (away from the GC’s scope of in the compliance function, as opposed to the independence, may be a better focus. The company has the CCO at the same level in the responsibility)?” legal department, you have a little more freedom objective person in a compliance role can look organization. As long as you have understanding to think about the types of resources you need, at the company, identify weaknesses and work from the rest of the executive team of your role, like hiring non-lawyers.” to control them to get to a better solution.” it works.” Said Jon Smollen, Executive Vice President and Chief Compliance Officer at Endo: “The answer Moderator Bill Hughes of CEB leads the conversation with speakers Katherine Kelton of Aramark, Jon Smollen of Endo and Jennifer Heller of Comcast. 4 5 

5) Reining in Scope Creep “One thing many compliance teams Scope creep can come with the territory struggle with is scope creep,” noted of having a team of problem spotters. Hughes. strong “It’s really hard not to have scope creep compliance team, a lot of the things when you have a strong compliance team nobody wants tend to end up as that spots weaknesses and wants to fix compliance said. them,” said Heller. “But remember, it’s programs aboutrisk prioritization and what resources assume ownership of some programs, are available. Make sure you are first using including training, code of conduct, your resources to manage your highest areas policy of risk.” While “If you have responsibilities,” most compliance management, a he compliance risk assessment, hotline management and investigations, privacy, others, records such as management “Where I see the scope creep is in data and managing a set of our risks, and looking through our lens and seeing a broader trade compliance, tend to fall to the issue,” said Smollen. “T&E is the classic compliance officer’s desk. Hughes asked, one. From a compliance perspective, Endo “What’s one thing on your plate that you has to monitor travel and expenses as they don’t think should live in compliance?” relate to dealing with health professionals, Said Kelton: “It’s a very good question. but that doesn’t mean we are ‘owning’ Our heat map currently contains risk the broader T&E function. You want to areas that date back to our original help the other parts of the organization,” risk assessment. So I have to analyze he continued, “but there needs to be it regularly to see if I can streamline infrastructure to protect against scope it. You have to limit scope around the creep.” Another example, Smollen said, is biggest risk,” she said. For example: that “we own training, but it doesn’t mean I Treasury risk. “That’s handled by internal can own every part of the training structure controls,” said Kelton. “Perhaps I don’t across the whole company.” need to report on that.” You have to limit scope around the biggest risk. 6 7 

6) The Business Case for Compliance “Imagine,” offered Hughes, “you have Also, businesses evolve and change. a new CFO and you’re sitting in his Our company today is different than or her office discussing next year’s it was three years ago, and I know budget. You’re making a case for a it will be very different next year and slight budget increase, but the CFO three years from now.” Compliance comes from a company that spent budgets need to be prepared for new far less on the compliance and ethics compliance issues. function. Your CFO wants a 15-percent budget cut and asks, ‘Why are we “Your CFO is going to be interested spending so much on compliance? We in how you grow the business,” added haven’t had any major issues in years. Smollen. “In order to manage the risks Now that we’ve built the program over of the growth strategy, a compliance the last few years and established program can’t ever be static. Around effective controls, I think we can put budget time, I try to be in tune with these dollars to better use elsewhere.’” the business strategies.” One tip, he offered, is to try to use the information Hughes asked the panel: “What are compliance gathers to help the bottom one or two bullet points you might use line. “We have so much data on how to make your case and defend your the business operates, and we see budget?” business operational trends, so maybe that data can help business operators “My first thought is to focus on the to work more efficiently.” return on investment,” said Heller. “Anything that you spend Kelton noted: “In the absence of a non- toward compliance would be made compliance event, it can be difficult to back on some scale; inevitably, a make a business case. You can say, government cost here’s what everyone else is doing. a heck of a lot more than you are And here are some clear examples of spending on compliance. An ounce of what can happen if you don’t have the prevention is worth a pound of cure. right resources in place.” settlement would would 8 

7) your evolution.” A smaller compliance team may talking about things.” Spend time with staff in need a heavier communication-based skills set to other areas, he said, noting that in the pharma convey the business case. A late-stage team may industry, compliance professionals might do a need more project management. ride along with sales reps. “You can see what it’s like to walk in their shoes and they sense that A recent CEB poll revealed that business-unit you’re with them. You can give them feedback partnering skills, Hughes said, like the ability to that is less adversarial, and later, they might pick build relationships, were the highest priority for up the phone and call you.” compliance professionals. Heller underscored these points. “These skillsets “How do you get better at that?” Hughes asked. Said Kelton: “Have your team build trust with operators by having them solve operational problems. Insert yourself in meetings. Sit with COO staff so you are hearing it all. Raise your hand and volunteer.” Kelton and Heller lead a breakout session on risk. “The biggest thing your people can do is just The Right Team for the Job Traditionally, Hughes pointed out, compliance right times the opportunity to lead a meeting, or follow up and say, ‘Can I help with this?’” “Give a little first,” said Heller. “It’s a crucial skill.” listen,” said Smollen. “Get people comfortable data analytics person. Someone who can take a compliance Watch and observe. Give those people at the types of people: A really good writer. A strong “But,” he said, “the toughest challenges for relationships with peers in HR and internal audit. to collaborate and partner with all different and typically have been staffed with lawyers. down and sideways in an organization. Build team needs a lot of types of skills. The ability functions have grown out of the legal department are needed not at just the top, but all the way project from start to finish.” teams—creating training that is sticky and memorable for employees; influencing employee behavior; building a strong corporate Kelton agreed: “I have someone who is an culture; and segmenting and managing risk in analyst with an audit background and a project the company’s third-party base—maybe those management skillset, which has been extremely things require skills other than legal knowledge.” helpful. I also have some teams that have lawyers, so for the first time, I have lawyers reporting to What’s the most valuable non-legal skillset or me. We have historically hired operators. Now background for someone on a compliance team? we are a bit of a mix.” The speakers agreed that a variety of non-legal A variety of skills is important, concurred skills help. Smollen. “I’ve looked for people who come out “Much of the day we are not doing substantive of the business, and have good communications legal analysis,” said Heller. “Your well-rounded skills. Some of it depends on where you are in 10 John Ryan, General Counsel of Unilife and Duane Morris alum, continuing the conversation. 

8) Speaker Profiles about duane morris Bill Hughes is Associate Director, Advisory Services, at CEB, a leading member-based advisory company. Duane Morris LLP, a law firm with more than 700 attorneys in offices across the United States and internationally, is asked by a broad array of clients to provide innovative solutions to today’s legal and Jennifer Heller is Vice President, Chief Compliance Officer and Senior Deputy General Counsel for business challenges. Carpe DM is a program that connects compliance, ethics and risk professionals for Comcast Corporation. In this role, she is responsible for leading the internal processes for promoting and networking and benchmarking opportunities. ensuring Comcast’s compliance with laws, regulations, company policies and contracts, including chairing its enterprise-wide Compliance Committee that oversees its compliance risk management and internal complaint reporting programs. She is also responsible for formulating and implementing Comcast’s London, U policies and procedures, including its Code of Conduct, and making sure they are communicated and trained upon across the company. Katherine Kelton is the Chief Compliance Officer for Aramark, where she is responsible for the Chicago ongoing design and monitoring of Aramark’s global compliance program. During this tenure, Aramark was Lake Tahoe San Francisco Silicon Valley Las Vegas Los Angeles San Diego ranked for the fourth and fifth times as one of Ethisphere’s “World’s Most Ethical Companies.” Prior to taking on this role in 2013, she was Vice President of Compliance for Aramark Healthcare, and before that, she was an Assistant Genral Counsel supporting Aramark Healthcare. She is an alum of Duane Pittsburgh Atlanta Houston Boston New York Newark Cherry Hill Philadelphia Wilmington Baltimore Washington, D.C. Morris. Boca Raton Miami Jon Smollen is Executive Vice President and Chief Compliance Officer of Endo International plc. In this role, he is responsible for the strategic direction and operations of Endo’s corporate compliance program. Mexico City Jon previously was Vice President and Chief Compliance Officer for Siemens Healthcare USA, with Duane Morris Office Representative / Liaison Office responsibility for its laboratory diagnostic and diagnostic imaging businesses in the U.S. Prior to Siemens, Jon held a number of leadership positions at Wyeth, including Vice President, Commercial Excellence and Compliance and Chief Privacy Officer, and established several global programs to strategically address existing and emerging industry requirements. London, UK Chicago Lake Tahoe San Francisco Silicon Valley Las Vegas Los Angeles San Diego Pittsburgh Atlanta Houston Boston New York Newark Cherry Hill Philadelphia Wilmington Baltimore Washington, D.C. Shanghai, China Oman Singapore Mexico City 12 Ho Chi Minh City Sri Lanka Boca Raton Miami Duane Morris Office Representative / Liaison Office Hanoi, Vietnam Myanmar 13 

9) www.duanemorris.com Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Philadelphia | Chicago | Washington, D.C. | San Francisco Silicon Valley | San Diego | Shanghai | Boston | Houston | Los Angeles | Hanoi | Ho Chi Minh City | Atlanta | Baltimore | Wilmington | Miami Boca Raton | Pittsburgh | Newark | Las Vegas | Cherry Hill | Lake Tahoe | Myanmar | Oman | Duane Morris LLP – A Delaware limited liability partnership This publication is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The invitation to contact the attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice. © Duane Morris LLP 2015.