1) Spring 2015
CARPE
DM
Compliance and Risk Professionals Education @ Duane
Compliance and Risk Professionals Education @ Duane Morris LLP
Morris
The Art and Science of Compliance
How do you build a successful compliance team? From hard data and metrics
to people skills and creative innovation, chief compliance officers explain
why compliance is both an art and a science.
Insights from
Duane Morris’ Inaugural
Compliance Event
Aramark
Comcast
Endo International plc
2) CARPE
DM
table of contents
Compliance and Risk Professionals Education @ Duane Morris
Compliance and Risk Professionals Education @ Duane Morris LLP
02
04
Independence Matters
06
Reining in Scope Creep
08
The Business Case for
Compliance
10
The Right Team for the Job
12
Speaker Profiles
13
1
Introduction
About Duane Morris
3) Compliance professionals collect and
analyze metrics and hard data, but
they also draw from a variety of brush
sizes and hues when painting a picture
of that data for their organizations.
introduction
Shortly after Katherine Kelton, an alum of Duane Morris, landed the
role of Chief Compliance Officer at Aramark, she logged into the Duane
Morris Alumni page on LinkedIn to seek out benchmarking from peers.
Her query led to the creation of the Carpe DM: Compliance and Risk
Professionals Education program. The inaugural event, held in October in
Philadelphia, brought together executives and on-the-ground professionals
in the compliance space across industries to learn and to network.
A general panel on trends was followed by three different breakout
sessions—all geared toward tackling pain points and offering survival tips.
Speakers from Comcast, Endo International plc and Corporate Executive
Board (CEB) joined Kelton on the dais.
Said one attendee: “Usually compliance events are segmented by
industry. This event was great because I could learn from folks in different
industries and realize that when it comes to a lot of compliance issues,
I’m not alone.”
The compliance function is neither an art nor a science, but its practitioners
benefit from the concepts behind both. Compliance professionals
collect and analyze metrics and hard data, but they also draw from a
variety of brush sizes and hues when painting a picture of that data for
their organizations. The palette of skills and personalities has grown:
Compliance staff now more than ever include those skilled in project
management, in addition to auditing and law. And with communication
and relationship-building key skills for success, today’s compliance officer
should strive to develop a colorful and diverse toolbox.
What follows is a closer look at the conversation.
2
4) Independence
Matters
Moderator Bill Hughes of CEB began by citing
varies based on industry and where you are in
“It really depends on senior management and
“If it’s working,” agreed Smollen, “don’t mess
CEB’s latest 2014 data on independence. “Fifty-
program development. The OIG and DOJ believe
culture at the company,” said Jennifer Heller,
with it.”
eight percent of compliance programs are still
the compliance function should be independent.
Comcast’s Vice President, Chief Compliance
located in the legal department and 22 percent
You see more independence in pharma than
Officer and Senior Deputy General Counsel. “Is
Added Katherine Kelton at Aramark: “At a small
are independent,” he said. “So here are my
other industries. I don’t think it can’t emerge
there real buy-in for the compliance function?
company, you might not have a choice. At a
two questions for you-all: (1) What does it
out of a legal function, but there are benefits to
Ours sits within the law department. I report to
company of our size, you can afford to have
mean to be an ‘independent function’ and (2)
independence. You have your own seat at the
the GC and he is the biggest asset and advocate
two functions. To Jen’s point, if you have the
should compliance teams be pushing to move
table with your board. In addition, when you’re
for our program. I think objectivity, rather than
advocacy of the GC, that’s fine. Not every
in that direction (away from the GC’s scope of
in the compliance function, as opposed to the
independence, may be a better focus. The
company has the CCO at the same level in the
responsibility)?”
legal department, you have a little more freedom
objective person in a compliance role can look
organization. As long as you have understanding
to think about the types of resources you need,
at the company, identify weaknesses and work
from the rest of the executive team of your role,
like hiring non-lawyers.”
to control them to get to a better solution.”
it works.”
Said Jon Smollen, Executive Vice President and
Chief Compliance Officer at Endo: “The answer
Moderator Bill Hughes of CEB leads the conversation with
speakers Katherine Kelton of Aramark, Jon Smollen of Endo
and Jennifer Heller of Comcast.
4
5
5) Reining in
Scope Creep
“One thing many compliance teams
Scope creep can come with the territory
struggle with is scope creep,” noted
of having a team of problem spotters.
Hughes.
strong
“It’s really hard not to have scope creep
compliance team, a lot of the things
when you have a strong compliance team
nobody wants tend to end up as
that spots weaknesses and wants to fix
compliance
said.
them,” said Heller. “But remember, it’s
programs
aboutrisk prioritization and what resources
assume ownership of some programs,
are available. Make sure you are first using
including training, code of conduct,
your resources to manage your highest areas
policy
of risk.”
While
“If
you
have
responsibilities,”
most
compliance
management,
a
he
compliance
risk
assessment, hotline management and
investigations,
privacy,
others,
records
such
as
management
“Where I see the scope creep is in
data
and
managing a set of our risks, and looking
through our lens and seeing a broader
trade compliance, tend to fall to the
issue,” said Smollen. “T&E is the classic
compliance officer’s desk. Hughes asked,
one. From a compliance perspective, Endo
“What’s one thing on your plate that you
has to monitor travel and expenses as they
don’t think should live in compliance?”
relate to dealing with health professionals,
Said Kelton: “It’s a very good question.
but that doesn’t mean we are ‘owning’
Our heat map currently contains risk
the broader T&E function. You want to
areas that date back to our original
help the other parts of the organization,”
risk assessment. So I have to analyze
he continued, “but there needs to be
it regularly to see if I can streamline
infrastructure to protect against scope
it. You have to limit scope around the
creep.” Another example, Smollen said, is
biggest risk,” she said. For example:
that “we own training, but it doesn’t mean I
Treasury risk. “That’s handled by internal
can own every part of the training structure
controls,” said Kelton. “Perhaps I don’t
across the whole company.”
need to report on that.”
You have to limit scope
around the biggest risk.
6
7
6) The Business Case
for Compliance
“Imagine,” offered Hughes, “you have
Also, businesses evolve and change.
a new CFO and you’re sitting in his
Our company today is different than
or her office discussing next year’s
it was three years ago, and I know
budget. You’re making a case for a
it will be very different next year and
slight budget increase, but the CFO
three years from now.” Compliance
comes from a company that spent
budgets need to be prepared for new
far less on the compliance and ethics
compliance issues.
function. Your CFO wants a 15-percent
budget cut and asks, ‘Why are we
“Your CFO is going to be interested
spending so much on compliance? We
in how you grow the business,” added
haven’t had any major issues in years.
Smollen. “In order to manage the risks
Now that we’ve built the program over
of the growth strategy, a compliance
the last few years and established
program can’t ever be static. Around
effective controls, I think we can put
budget time, I try to be in tune with
these dollars to better use elsewhere.’”
the business strategies.” One tip, he
offered, is to try to use the information
Hughes asked the panel: “What are
compliance gathers to help the bottom
one or two bullet points you might use
line. “We have so much data on how
to make your case and defend your
the business operates, and we see
budget?”
business operational trends, so maybe
that data can help business operators
“My first thought is to focus on the
to work more efficiently.”
return on investment,” said Heller.
“Anything
that
you
spend
Kelton noted: “In the absence of a non-
toward compliance would be made
compliance event, it can be difficult to
back on some scale; inevitably, a
make a business case. You can say,
government
cost
here’s what everyone else is doing.
a heck of a lot more than you are
And here are some clear examples of
spending on compliance. An ounce of
what can happen if you don’t have the
prevention is worth a pound of cure.
right resources in place.”
settlement
would
would
8
7) your evolution.” A smaller compliance team may
talking about things.” Spend time with staff in
need a heavier communication-based skills set to
other areas, he said, noting that in the pharma
convey the business case. A late-stage team may
industry, compliance professionals might do a
need more project management.
ride along with sales reps. “You can see what it’s
like to walk in their shoes and they sense that
A recent CEB poll revealed that business-unit
you’re with them. You can give them feedback
partnering skills, Hughes said, like the ability to
that is less adversarial, and later, they might pick
build relationships, were the highest priority for
up the phone and call you.”
compliance professionals.
Heller underscored these points. “These skillsets
“How do you get better at that?” Hughes asked.
Said Kelton: “Have your team build trust with
operators by having them solve operational
problems. Insert yourself in meetings. Sit with
COO staff so you are hearing it all. Raise your
hand and volunteer.”
Kelton and Heller lead a breakout session on risk.
“The biggest thing your people can do is just
The Right Team for the Job
Traditionally, Hughes pointed out, compliance
right times the opportunity to lead a meeting, or
follow up and say, ‘Can I help with this?’”
“Give a little first,” said Heller. “It’s a crucial skill.”
listen,” said Smollen. “Get people comfortable
data analytics person. Someone who can take a
compliance
Watch and observe. Give those people at the
types of people: A really good writer. A strong
“But,” he said, “the toughest challenges for
relationships with peers in HR and internal audit.
to collaborate and partner with all different
and typically have been staffed with lawyers.
down and sideways in an organization. Build
team needs a lot of types of skills. The ability
functions have grown out of the legal department
are needed not at just the top, but all the way
project from start to finish.”
teams—creating
training
that
is
sticky and memorable for employees; influencing
employee behavior; building a strong corporate
Kelton agreed: “I have someone who is an
culture; and segmenting and managing risk in
analyst with an audit background and a project
the company’s third-party base—maybe those
management skillset, which has been extremely
things require skills other than legal knowledge.”
helpful. I also have some teams that have lawyers,
so for the first time, I have lawyers reporting to
What’s the most valuable non-legal skillset or
me. We have historically hired operators. Now
background for someone on a compliance team?
we are a bit of a mix.”
The speakers agreed that a variety of non-legal
A variety of skills is important, concurred
skills help.
Smollen. “I’ve looked for people who come out
“Much of the day we are not doing substantive
of the business, and have good communications
legal analysis,” said Heller. “Your well-rounded
skills. Some of it depends on where you are in
10
John Ryan, General Counsel of Unilife and Duane Morris alum, continuing the conversation.
8) Speaker Profiles
about duane morris
Bill Hughes is Associate Director, Advisory Services, at CEB, a leading member-based advisory company.
Duane Morris LLP, a law firm with more than 700 attorneys in offices across the United States and
internationally, is asked by a broad array of clients to provide innovative solutions to today’s legal and
Jennifer Heller is Vice President, Chief Compliance Officer and Senior Deputy General Counsel for
business challenges. Carpe DM is a program that connects compliance, ethics and risk professionals for
Comcast Corporation. In this role, she is responsible for leading the internal processes for promoting and
networking and benchmarking opportunities.
ensuring Comcast’s compliance with laws, regulations, company policies and contracts, including chairing
its enterprise-wide Compliance Committee that oversees its compliance risk management and internal
complaint reporting programs. She is also responsible for formulating and implementing Comcast’s
London, U
policies and procedures, including its Code of Conduct, and making sure they are communicated and
trained upon across the company.
Katherine Kelton is the Chief Compliance Officer for Aramark, where she is responsible for the
Chicago
ongoing design and monitoring of Aramark’s global compliance program. During this tenure, Aramark was
Lake Tahoe
San Francisco
Silicon Valley
Las Vegas
Los Angeles
San Diego
ranked for the fourth and fifth times as one of Ethisphere’s “World’s Most Ethical Companies.” Prior to
taking on this role in 2013, she was Vice President of Compliance for Aramark Healthcare, and before
that, she was an Assistant Genral Counsel supporting Aramark Healthcare. She is an alum of Duane
Pittsburgh
Atlanta
Houston
Boston
New York
Newark
Cherry Hill
Philadelphia
Wilmington
Baltimore
Washington, D.C.
Morris.
Boca Raton
Miami
Jon Smollen is Executive Vice President and Chief Compliance Officer of Endo International plc. In this
role, he is responsible for the strategic direction and operations of Endo’s corporate compliance program.
Mexico
City
Jon previously was Vice President and Chief Compliance Officer for Siemens Healthcare USA, with
Duane Morris Office
Representative / Liaison Office
responsibility for its laboratory diagnostic and diagnostic imaging businesses in the U.S. Prior to Siemens,
Jon held a number of leadership positions at Wyeth, including Vice President, Commercial Excellence and
Compliance and Chief Privacy Officer, and established several global programs to strategically address
existing and emerging industry requirements.
London, UK
Chicago
Lake Tahoe
San Francisco
Silicon Valley
Las Vegas
Los Angeles
San Diego
Pittsburgh
Atlanta
Houston
Boston
New York
Newark
Cherry Hill
Philadelphia
Wilmington
Baltimore
Washington, D.C.
Shanghai, China
Oman
Singapore
Mexico
City
12
Ho Chi
Minh City
Sri Lanka
Boca Raton
Miami
Duane Morris Office
Representative / Liaison Office
Hanoi, Vietnam
Myanmar
13
9) www.duanemorris.com
Duane Morris – Firm and Affiliate Offices | New York | London | Singapore | Philadelphia | Chicago | Washington, D.C. | San Francisco
Silicon Valley | San Diego | Shanghai | Boston | Houston | Los Angeles | Hanoi | Ho Chi Minh City | Atlanta | Baltimore | Wilmington | Miami
Boca Raton | Pittsburgh | Newark | Las Vegas | Cherry Hill | Lake Tahoe | Myanmar | Oman | Duane Morris LLP – A Delaware limited liability partnership
This publication is for general information and does not include full legal analysis of the matters presented. It should not be
construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The invitation to contact the
attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any
availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice. © Duane Morris LLP 2015.