Reporting Compliance to Senior Management

August 29, 2022

Don’t let your report be buried under a pile of paperwork. Create an engaging, impactful summary of the state of your program. We joined our industry experts in EthicsVerse to discover how you can optimize your compliance reporting. Learn how to inform management on the key issues at hand, the successes you’ve seen, and the road ahead.

Transcript for Reporting Compliance to Senior Management

Matt Kelly: All right. Well, I want to welcome everybody to this EthicsVerse meeting masterclass, as people are trickling in here, I am your host for the hour Matt Kelly. So we are going to have another great discussion as usual. We are here to talk about successful reporting to the board and to senior management about compliance and ethics issues. And as usual, we hope to have a very lively discussion.

I know that… All right, see, we already have listeners who know the drill, typically we love to chip in with first where are they dialing in from. I know we’ve got people from Texas and Florida and Pennsylvania. All right, they’re all over the place. Somebody from Massachusetts, thank you, same here.

So let me take a moment to introduce the subject and then our panelists for the hour. As I said, we’re going to talk about board reporting, a couple of big themes that we want to explore is number one, what is it that you would actually want to do with reporting? How much do you want to have a good meaty report, a written thing, or a printed thing that you give to the board? And how much do you want to actually have a more of a conversation with them in person where the report is just the helpful material after the fact? But, you know, what makes for good reporting to the board?

Number two, what is it that you actually want to report to the board about key performance metrics, about big picture issues, about compliance crises? And then just a lot about lessons learned maybe on what does work and does not work for having a good board management versus compliance officer relationship? And does it vary? Do you have one sort of report you give to the board? Do you have a different one that you give to senior management and so forth? So we have an awful lot we can cover.

Our speakers are, in no particular order, number one, JoQuese Satterwhite. So, JoQuese is the I think senior director and global chief of staff for compliance operations at Medtronic. JoQuese, did I get that right?

JoQuese Satterwhite: You got it right.

Matt: Wow. All right. “Chief of staff” just sounds like an excellent title. I love that

Nick Gallo: Totally.

Matt: Also with us is Dan Christmas, who is chief compliance officer at Corning Incorporated. So Dan, welcome.

Dan Christmas: Thanks, Matt. Glad to be here.

Matt: And as always, with us is Nick Gallo, co-CEO of ComplianceLine, the sponsor of these master classes. And Nick, welcome too.

Nick: Thank you so much. Glad to be here, pretty excited about this topic. This one is one that really can help frame out our influence in our organization. And you can really do a lot well with it, or you can do a lot poorly with it. So I’m excited to dive in. As always, I’m gonna always say this on every EthicsVerse, hold me to it. Our greatest asset in ethics, compliance, and human resources is this magic community that we’re all a part of. So, but it’s only there for you if you engage in it. So everybody should drop their LinkedIn contact information, your LinkedIn URL into the chat, connect with your friends in different organizations because we’re all fighting the same battle. 

So reach out, we always want these sessions, these EthicsVerse episodes, we want them to be very valuable for you. We love that you spend every single Thursday with us, either getting your first cup of coffee, if you’re on the West Coast, or having your lunch with us if you’re on the East Coast. We love that you spend your time with us. But we always want this to be super interactive. So drop those questions, drop your tips, and drop whatever’s kind of top-of-mind into the chat and we’ll, you know, Matt and I will do our best to integrate those things into the conversation so that this can be really meaningful for you.

Two other things, one, of course, EthicsVerse, our world-famous EthicsVerse book giveaway will be in full effect for anybody who’s dropping great comments into here. So someone will reach out to you if you’re dropping good tips, good questions, things like that, and you’ll get to pick from our library of ethics, compliance, and human resource books. And finally, at the end, I’d like to circle back to this, Matt, but I wanna start really crowdsourcing some great ideas from folks on things that really resonate with them. We want the content that we’re generating here together to be valuable to the broader community. And we always kind of clip this thing out. So if there’s a great comment that you love, just say, “Great comment,” or, you know, give us a little hint on what really resonated with you because we wanna feed this community, and one of the best ways we can do that is from thought leadership and actual tactics that you can implement on daily basis. So with that, my preamble is over, back to you, Matt, we can dive in.

Matt: All right. So, first question, I’ll probably start by putting it to JoQuese first, and then Dan, give me your thoughts. But what would you say, or what would you define as the most successful or important parts? What is the most important part of successful reporting? Is it the report itself? Or is it the conversation that you have with the board while the report is there on the table? Is it a combination of that? Is it something else? JoQuese, what do you think, and then Dan?

JoQuese: Yeah. So, Matt, for me, I am a conversationalist, so I like to talk, I think as we over inundate our leaders, our people, all of us with PowerPoints, reports, and all these wonderful things that it becomes information overload, and we don’t really get to have a good conversation. So for me, I’m all about the conversation, let’s hit the high points. I’ll definitely give you the PowerPoint and the memo, so that way, you have supplemental information, but I really wanna have a conversation. I wanna know that you’re just as engaged in the conversation as I am. And that’s really…in order to do that, we’ve got a talk.

Matt: And, Dan, what do you think?

Dan: Yeah, you know, I agree with JoQuese, so, though, I would say, I’m gonna be the classic lawyer and sort of, you know, it depends or, you know, it’s a combination really of, I think… So in my view, there is…a key element is the actual report itself you’re producing. And I know we’re going to talk more about what goes into that. And, you know, it’s not that it’s an extremely detailed report that you expect the board to pour over, it has to be pretty high level, but there has to be that work product that I think…them of the material risks and issues, and helps them develop confidence in you as a leader of the compliance organization.

But then, you know, corollary or second to that, and just as important, if not more important, is the conversation that ensues. And so the way we do it at Corning, for example, is we submit… I just did this in June. I did my annual update to our audit committee. They get my report ahead of time. They expect me to come in to hit a few highlights from that, but not to go through slide by slide, because they’ve already seen it. And then it’s that dialogue, as JoQuese said, there’s the discussion, they ask questions, sometimes they ask questions that aren’t related to the report. But, you know, you need to be prepared to be able to respond to those. And in doing that, it’s establishing your credibility and building a relationship. I think those kind of intrinsic elements are the key aspects of what come out of the board reporting, and really make you successful in the eyes of the board. So I think it’s a combination of the two and leading to those kinds of intrinsic connections.

Matt: Now, Nick, let me get your take on this, from the slightly different perspective that you are a CEO of ComplianceLine, you’re on the other end of this, you are getting inundated, as JoQuese pointed out. So what is the sort of thing that you want from a report?

Nick: Just short, you know, like, what’s the big thing? I think when I’ve seen these, and I think we all have this tendency, and I think we’ll probably talk a lot about this, we have this tendency to wanna show our work and show all of our receipts and, you know, prove that, “Hey, look at all this detail I have.” Like, I kind of trust someone that is in that role to…of course, they already have that. What are the three big takeaways that I need to know? And then we can dive into ones that I think are most important, or the ones that overlay with the other things that I know that are going on in the organization that the person presenting me or presenting to me might not be privy to. Let me double-click on those things, and don’t lose me in too many details.

Matt: Yep. Now, so to your point, Nick, I did wanna talk a bit more about what actually would go in a written report. And so let me… I’ll first pivot back to Dan, because you talked about that a bit. One thing that strikes me is that compliance officers are in a bit of a difficult spot when you’re talking with management or the board, because you’re probably meeting with the audit committee, they probably already had a report from the CFO that is 400 pages thick, and they’ve been going over that for two hours. And now in comes the compliance officer toward the end. And so how do you figure out what I want to put in the written material, you know? And how much pressure do you feel that, you know, they conceivably might just be exhausted and have been reported out, and they just wanna get this over with? So you really have to distill down to the key points. Like, first off, how true is that dynamic, do you think, when you’re reporting to the board? Dan, what’s your experience?

Dan: I think there’s certainly an element of truth to that. Although I would say, you know, the board and, of course, every board is gonna vary a bit, but I think that they take their role seriously, in my experience, you know, they’re gonna take the time to look at what you give them. But implicit in that kind of bargain is that what you’re giving them is concise, succinct, is only the sort of clearly relevant information, you know, the idea, it should have an executive summary with it, you know, you’ve got to do your work to make it as easy for the board to digest as possible. Right?

So, a couple of things, one, like I said, I think summarizing in executive fashion, avoiding, you know, lengthy sort of data summaries or putting that in an appendix. One of the things I try to do is, when I’m presenting any kind of data, make sure that it’s in a consistent format, you know, meeting over meeting. Because I think the board’s more interested in are there trends? Materiality has to be kind of in the back of your mind, right? Is there a material trend or issue or a hotspot, red flag? They don’t wanna, you know…they don’t really care about how many people you train in a given quarter on antitrust, but they’re looking for bigger picture things. And so by presenting information quarter over quarter in a consistent format, you make that job easier for them.

So, you know, I think they’re willing to take the time. But I would say, you know, there’s definitely a process of putting together a report for them that is concise. Frankly, you know, within Corning, I mean, and I’m sure many other companies, there’s a lot of attention that goes into what is presented to the board. And so you get input from other key kind of peers and stakeholders making sure that it’s in line with the expectations. And I think that’s beneficial to receive, you know. As the compliance officer, I welcome that input from others. So, you know, it’s something that should be taken very seriously. But I think, you know, the board’s willing to put the time in to look at what you put in front of them.

Matt: Sure. And JoQuese, let me ask you a similar sort of a question that, I guess, how do you decide what goes into the report? You know, Dan had mentioned you talk maybe with some other leaders in the enterprise. I don’t know what you all do or don’t tell the board or the board tells you, “We want this in or this out.” But you also have to keep in mind, it’s got to be concise, they’ve got a zillion other things on their time. So, how do you try and figure that puzzle out?

JoQuese: Yeah. So, interestingly enough, I want to call this out, I am not a lawyer, which is wonderful. But that also then helps me come from it from a bit of a different angle. So interestingly enough, we’re actually in the process right now, we’re getting ready for our quarterly report. And how we decided to really talk about our program is really around, what are the story? So Dan mentioned, kind of the trending. Really, what is it from just kind of a broader picture do I need my audit team to know? Whatever we present to them, we can also present to the DOJ if they come in, right?

So again, enough information to make sure that the questions are answered, right? It can stand alone. But where we go into detail, again, is in that conversation. So when we think about what is it that we want to tell them, I need to make sure that the audit committee, in particular, knows that they’re being held accountable to X thing, right? So if we’re having a distributor issue, they need to know about that. Right? If we’ve got some things that are, “Look, China’s getting a little hot over here.” I need to make sure you know that.

And I will say, you mentioned earlier right around the timing, many of us also serve on boards, I think we all realize that, right, once you’ve been in two-day meetings or a day where you’ve gone from 7 a.m. to 4:00, and you’re talking about compliance, at the end of the day it’s rough, right? Like, let’s not pretend, right? But I will say one of the things that I love about our board is that we’re required to get information to them at least two weeks before. They have a book that they actually read, and they go through and make notes and they annotate. And so they have questions. So we’re very targeted in that conversation.

And so, kind of going back to your initial question of what do we put in there, we have quarterly topics that we focus on. So we wanna make sure that we’re hitting those quarterly topics, those are usually aligned to our top enterprise risk. If there’s something that’s going on, if there’s a hot topic, if something is burning, we’ll make sure to bring that to them. But we also then kind of have our routine information that’s available to them. One of the things we stray away from is a long appendix. So one of the comments that we’ve done before is, “Look, if I need to read it, I need to read it.” Don’t put it in an appendix because an appendix becomes this kind of to-go place where you just give me extra information. And I don’t know if you really want me to care about it or not.

So that’s how we approach it for now, and I think we’re actually starting to kind of, you know, iterate as we’re learning. We just had kind of a new audit committee come in, a new audit chair so things that were great for the last one is different for this one. So really trying to understand what is their knowledge from a compliance perspective? Do I need to get them more kind of understanding of when we’re talking about risk, what does that mean? There has to be some assessment to really see where your committee is and where your board is, and then you iterate from there.

Nick: And that brings up an important point that every single group is different. Like, this is not a monolith. We’re not talking about just what does the robotic board want? I mean, it’s gonna be a function of the unique combination of individuals who you’re serving and who you’re presenting to, and through iteration, through insights, either beforehand, or, you know, asking folks, “What really stood out to you, in the pre-work that I sent you, or whatever that like early report?” To help inform what that sort of sacred time or that really sort of, you know, limited time you have, make sure that that’s is as impactful as possible, can really do a lot to help build your brand within the organization. But you have to understand that you’re speaking to a different audience, you know, potentially quarter after quarter, depending on how much rotation there is.

Matt: Well, I guess the question that’s on my mind is that, you know, how much is there a conversation maybe before the first report ever happens, where the board or the audit committee says, “We want these kinds of things in the report?” Versus you saying, “Well, you should have those two things. But if you’re just asking for calls in the hotline, you know, with all due respect, board, that might not be the most informative. Let’s try this.” Like, is there a back and forth conversation that has to happen, or that does happen to hone in on, this is going to be the most productive story to tell or way to present what’s going on. Dan, what do you think about how does that work?

Dan: Yeah. Yeah. You know, and so in my experience, I think it’s not as much…there is that conversation, but it starts more with, I think the compliance professional, whomever’s delivering this report, kind of establishing what they think are the key components, right, as to what the board needs to be advised upon. I mean, in the back of your mind, when I look at it, you know, there are multiple kinds of boxes you’re trying to check. You know, one is around the federal sentencing guidelines, and making sure that the board and its governance role or your compliance program has the necessary information that it needs, which is a little bit more kind of, you know, academic in nature.

More importantly, I think is, you know, thinking about what you think is important enough, what’s material enough for the board to know about? What are the… I look at it like, what are our program activities that I think they should know about? What are the risks that I see that I think they should know about? And then what are the key kind of metrics that we wanna share with them? And so we produce something. 

And then what has happened, though, to your point, Matt, is over time, by the dialogue that you have, once they’ve reviewed the report, the questions that get asked, and I think it’s a great point that both JoQuese and Nick made is, you know, every board member is different. And I know there’s always that one board member who’s got a background in, you know, cybersecurity, and they’re gonna have a question related to cybersecurity or whatever the case may be. So there’s iteration that occurs. And then over time, you produce a report that is really aligned with what the board is expecting. But I think it starts with the compliance professional, you know, exercising some judgment of what they think the board needs to know about, and then you go from there. That’s the way it has worked for me.

Nick: And how about carving out a couple of minutes at the end to critique your presentation and say, “Hey, folks…” Like, if you didn’t have that chance to have that conversation on the front end, how about saying, “Hey, which parts really resonated with you? How can I serve you better when I come and present this to you because I definitely don’t wanna bore you, I want this to be valuable for you. And I want it to be insightful for you as well.” Those couple of minutes, that does, I think, two things, it’s gonna give you some direct reads, If you haven’t had those opportunities to have those conversations, about what’s resonating and what’s falling flat. But it’s also going to show you to be somebody that’s a little bit more thoughtful and a little bit more intentional about the time that you’re, you know, occupying in this broad meeting where they’re covering 30 or 40 different topics.

JoQuese: And Nick, to that point, I mean, at the end of the day, they have a responsibility to the company and that seat that they’re sitting in. And so making sure that they feel a part of the conversation…

Nick: A hundred percent.

JoQuese: …and not just the chair. So I know for us, right, our chief compliance officer has a meeting with the chair before, right, to kind of breathe and say, “Hey, this is what we’re talking about.” Right? We really guide the conversation, but what we have learned, to Nick’s point, is, “Let me know, committee, what do you need to know?”

Nick: Totally.

JoQuese: “What’s keeping you up at night?” Right? These are senior-level executives in the business and there are things that are popping up probably in their own industries, where they’re like, “Does this apply here?” And so even getting that kind of feedback may even benefit you and say, “You know what, I didn’t think about that, let me go back and check, let me go back and do some diligence on that.” So that way you’re comfortable.

Nick: And that back and forth, gives you some better guidance for the next one so you can dial that in more and more. I mean, remember that old…? What’s that old quote from, like, I don’t know, let’s say it’s Abraham Lincoln. And he said, “I’m sorry, I wrote you such a long letter, I didn’t have time to write a shorter one.” Part of our job, when we show our competence in something is our ability to edit, right? So, like, the best directors, the best movie directors, they’re, like, great editors, because they know what they can cut out and what they can keep in, and what needs to be, you know, kept in to get those beats of the story in. And if we’re not storytelling in this time that we have, like, this is just such a big opportunity, I think, for us to present to the board, because we’re either going to fit this sort of stereotype that they expect of somebody who’s very buttoned up and doesn’t get it, and, you know, nerds out on compliance, or we can be this like breath of fresh air of somebody who really gets it, who understands the role that our function plays in the broader business. 

And really, you know, we can be a pattern interrupt if we play it right. And that’s where we can be memorable, that’s where we can improve our brand and really lead toward the type of, you know, broader impact that I think a lot of us wish that we had in our companies.

Matt: Yeah, so…

Dan: Can I chime in on that? I think, Nick, you said that extremely well. And I would just put in another plug, I think, another asset to a compliance officer, when they’re making that presentation and trying to improve their brand with the board is utilizing those other C-suite executives within the company, senior management.

Nick: Yeah, great point.

Dan: You know, because A, oftentimes they have more interaction with the board than, you know, I do, for example, our general counsel, our CFO, and so they can help. Now, granted, right, as a chief compliance officer, I’m going to exercise independence over what I think needs to be presented, and so I don’t mean that they have some sort of, you know, veto over, “Well, don’t talk about this,” but it’s just more, they can help you understand how best to communicate with the board, given their experience.

And frankly, you know, at the end of the day, I think one of the most important things you do as a CCO is that board update and that relationship with the board, because if the board likes you, you know, it becomes pretty difficult for the other members of the C-suite to be against you, you know. And I don’t mean to get into corporate politics, but it’s just you can’t understate the importance of the board dynamic, and then the impact that it has on, you know, management. And I just think getting alignment with your peers before you go in and using their input is critically valuable.

Nick: This is a game of chess, I mean… Sorry, sorry to interrupt, like, it’s such an opportunity. And if you’re not using it as an opportunity, it’s absolutely slipping through your fingertips 100%.

JoQuese: Yeah. And it’s knowing the business too, right?

Nick: Totally. Totally.

JoQuese: So sorry, Nick, you’re gonna kill me. But it’s like knowing the business and learning what ticks and what doesn’t tick. So, Dan, you mentioned corporate politics, not even so much as that is, I also find it my responsibility to understand my business.

Nick: Smart.

JoQuese: I need to know what is the hot points right now. Like, where are we struggling? What’s being said on the street about us, right? Because all of that ties in. When that committee is being brought together, they are getting all of those key points in at one time. And they need to also tie what’s happening in compliance to what’s happening in the business. So if we’re in a high-pressure situation, you think about COVID, you think about at least in the device space, right, we struggled with supply demands, quality demands, all of these things, right? That impacts culture, that impacts compliance. So I need to tie that together so my leaders understand that not just at my executive committee, but also my audit committee, and what’s happening. So that’s a part of our job too.

Nick: Great point.

Matt: Well, let me pull on that for a minute, JoQuese, because somebody had, a while back, said that they actually had to basically diplomatically correct their audit committee who said, “Well, how many calls do we have on the hotline?” That’s not your best indicator of what the corporate culture is. But that’s what you’re talking about right now, is you have to somehow capture the corporate culture and convey the sense of that to the audit committee or the board. So I was just wondering, maybe on a very pragmatic level, like, what are some of the things that you would put in the report to demonstrate to the audit committee or the board or whomever, “Here’s what our culture looks like right now, here’s where I’m confident we’re okay, here’s where I have some worries.” But I mean, what goes into that then? What are, I guess, the KPIs or the KRIs around corporate culture you might put in the report?

Nick: Good question, Matt.

Matt: So, JoQuese…Dan.

JoQuese: I love that question because we’re doing it now. So for us, we actually have organizational health survey where we’re actually looking…

Nick: Great.

JoQuese: …and measure the health of our organizations. So, our employees tell us, do they feel that they can speak up, do they feel that they’re being retaliated against? They tell us that. And so we’re looking at that from a trending perspective. And what we’re now doing is saying, “Okay, these are the metrics that we’re seeing. We’ve identified gaps here. We’re putting specific training, ethical culture tactics in this particular area of our business, and we’re gonna trend this and look at it and see if it’s working or if it’s not, and we’re going to course correct, right?”

So part of it is understanding the why. Right? So it’s always about the… Why am I sitting here? Why do I care what you’re telling me, right? You care about the culture of this organization because if we don’t have the right culture, then we can’t do things in the right way. Things may get done, we may hit revenue, but the repercussions of how you’re hitting revenue may come back on us. I mean, that’s what we want to avoid. So, that’s how we’re looking at it for now, from some key performance indicators, we’re looking at, specifically, we call them ethics circles, where we really are focusing on having ethical conversations at some of the lower levels in the organization, and where some of those stress points are hitting, right? So not the top executives, because those people they know what to do. And if they’re not doing it, they are choosing not to do it most time.

Nick: Good point.

JoQuese: Right? We’re talking about those pressure points where you’re a manager and you’re being told you have to hit this revenue target, that your numbers are changing here, you’re getting pressure on all ends. That’s where I wanna see what’s happening in the culture, that’s where I wanna see what the conversations are. Because really, those are the people that can really put us in a bad position. And usually, stuff is happening for a long time before we realize it, and by that time, it’s blown up.

Nick: Totally.

JoQuese: So, and we keep some pressure points on that to see, “Hey, we’re measuring this, we’re doing some concerted efforts, but nothing’s changing, or it’s going down.” Right? Then we’re saying, “Hey, either the conversations aren’t right or they’re not doing it. And so let’s address that.”

Matt: Dan, what’s your take on that same sort of a question there, that what are the metrics you’re looking for, for corporate culture? A lot of people are asking, of course, for the most specific ones possible, things like that. But I mean, how do you try and capture what it is and then convey that to the board? What are you looking for? And what do you put in the report?

Dan: Yeah, it’s good. So, you know, in addition, like I talked about, I try to convey some information about what we see in the regulatory environment, what are our program objectives. But we do try to focus on some specific quantitative metrics to give the board a sense of how our program is operating. Like JoQuese, we have a…we call it our values survey, but there are some questions that employees, you know, anonymously respond to about whether they can…for example, whether they can report an allegation without fear of retaliation, which I think goes directly to is there some kind of a cultural issue within an organization?

So, you know, we don’t report just that data across the board, but to the extent, there are areas that are red flags, you know, they’re below, significantly below where you’d expect them to be, that’s an indicator of culture that we would share. You know, in terms of… I do think there’s a role for compliance program metrics. Again, not just, you know, death by PowerPoint with slides, but we share with the board things like our overall case rates, rates per 1000-employee, right? So we have a sense of where you are. Our case substantiation rate, our case closure time, we look at those metrics and we track them.

Here though, what I would say is, what I have found to be most important, and what I would highly recommend is, if you’re going to put that in front of the board, they’re going to wanna know, “Well, so what?” Right? And the key is, “Here’s our rate.” And there’s lots of great sources out there for getting benchmark information, right? So in your industry, size of the company, etc., here’s the benchmark rate. And then you can show the board, “We are in line with the benchmarks.” And, you know, I think that’s an indicator that you’re functioning effectively, right?

So I would say if you’re going to put data up, make sure that you include some benchmark information. I found that to be incredibly valuable and helps them get a sense of it vis-à-vis someone else. And then, also, you know, make sure you’re kind of keeping it high level enough that it’s key metrics, and you’re looking for trends. Those are the things that I would say give them a really good window into how you’re functioning.

Nick: So, I love that you talked about benchmarking, why don’t we do this, I’m gonna call a little audible here. Why don’t we give away seven custom benchmark reports? We have a healthcare-specific one and also a general one for the general, you know, across kind of all businesses, drop a seven in the chat if you’re interested in that. And we’ll do a drawing to do these benchmark reports for you guys.

But to your point, Dan, we have to give folks, especially people who aren’t swimming in this ethics and compliance pool all the time, some anchor points because they don’t know up from down, you know what I’m saying? They’re kind of…we don’t want them to feel like they’re lost in the sort of avalanche of data. We have to show them kind of here’s where we are relative to ourselves last year, here’s where we are to industry benchmarks, here’s some of the improvements we’ve made. And to your point, why does it matter? Right? It’s not just the what, we need to pull it down to the why. And if we can relate that why to something that’s, you know, a broader industry trend or a broader sort of company-specific goal that might be sort of in play for the quarter, that’s going to help them sort of acclimate to why this time is valuable for them and why it’s important for them to listen into what you’re talking about.

Dan: Yeah, agree 100%.

Matt: Nick, shame on you for that giveaway, because now all the great comments we had just got blown up, all I have is the number seven.

Nick: Oh, all right. Well, we got to tell Jack to get to work here.

Matt: We have a lot of sevens. So, you know, one other thing…

Nick: Sorry about that.

Matt: … I’ve always wondered about or I’d like to talk about is the risk of reports that show the compliance department is busy. And you can easily come up with any number of data points to show you’re doing a lot of things. But that’s not the same as showing where the compliance function is or is not effective.

Nick: Great point.

Matt: And I just am wondering if any of you have any thoughts, or, you know, frankly, maybe lessons you’ve learned the hard way about what you shouldn’t put in a report because it’s just not necessarily information that’s valuable, but it’s stuff that we all might like to, you know, we all think, “Oh, yeah, we should put it in,” until you stop and think, “Well, it’s not really that valuable to us.” There’s a tremendous distilling process that has to happen. I don’t know, Dan, and then, JoQuese, you know, what do you think about this risk that your reporting might just show you’re running around, but that doesn’t necessarily mean that the function is effective, or the culture is effective. How do you avoid that kind of a trap?

Dan: Yeah, it’s a great point. And it’s sort of to Nick’s, you know, quote earlier, whether it was Lincoln that said it or not, it’s a great quote about, you know, the idea that it takes time to actually do something in a shorter, more succinct way. And I think, you know, you start with the notion that the board expects you to be strategic… We all fight this battle, at least I’ll speak, you know, for myself, right, on a daily basis. You know, you’re dealing with the fires that come up, and all the issues of the day, and yet you’re still supposed to be a strategic leader. And if you let yourself get too dragged down into the trenches, you know, you lose that strategic perspective.

Nick: Great point.

Dan: And going into a board session, you’ve got to have that strategic, you know, hat on. And I can give you an example. Right? So, one of the things that we were doing in our annual report to the audit committee, we were sort of keeping, you know, a running list of…year over year, we would talk about key program improvements and priorities. And then, you know, this list got to be, we were looking back, like three years over multiple slides, and I thought to myself, “Does the board really care that three years ago, we, you know, upgraded our anti-corruption training?” And on the one hand, it made me feel good to look at that and say, “Wow, look at everything we’ve accomplished.” Right? But at the same time, I had to say to myself, “We were just trying to show we were busy.” To your point, Matt, versus, you know, we were strategically focused on key objectives and priorities. So we have taken out the running list of everything we’ve done and focused it in on what are the…

And another, you know, example is at Corning, the company creates what we call our strategic one-pager for the year, and then every function, you know, sort of is supposed to align itself with that one-pager as to where you fit. And I can show the board with the compliance priorities I’m putting up there, how it connects from our law department to our corporate one-pager. So you know, I think the key is around the strategic alignment and what’s really important, and doing that helps avoid, you know, the looking busy kind of trap that it’s easy to fall into.

Matt: JoQuese, what’s your take on all of this, the looking busy trap?

JoQuese: Yeah, so I’m all about effectiveness. I think at the end of the day, all of us are trying to figure out how to do more with less. We have employees that are burned out, we have the reality of just the environment we’ve been in, and so I am not a fan for doing work that nobody’s gonna read. If we have employees working on reports for one meeting that may last one hour, like just sit back and think about it. How much of a disservice are you doing to yourself as a compliance officer and to your organization? That’s not where good time is spent. Right?

Nick: Good point.

JoQuese: So look, if you want the data, cool, I have it. Right? Trust that I have it, right? This is I need to establish a relationship with you that you trust me that I’ve got that. But I will not use my team’s time to focus on one meeting, one PowerPoint slide to let you think that I am busy when I actually have things I need to do and I can’t get to them because I’m trying to create a report. And I’ll say, it’s a little bit of a lesson learned, and also from being in the trenches and having to pull all the crap together. Let’s just be honest, if you ask the people that are doing that, when you pull all that together, you put all that work together. And then to realize somebody went into a meeting and didn’t even get a chance to go over it, like, God, think about how, like, just demoralizing that is as an employee, right?

So there’s a few things that I am trying to manage just from a leadership perspective of how do I protect my employees and keep them from being burnt out on stuff that’s not helping me move my program forward? Now, look, I may run into somebody who’s like, “Nope, I want the details.” That’s wonderful. Let me do that and let me have my team focused on what’s most important to ensure that we are mitigating risks and we’re preventing and detecting. But that’s how I look at it, because I just, I can’t…the thought of wasting time like that just, like, sends chills up my spine.

Nick: I wish I had a button that I could press and then we can just relisten to that whole thing that you just said because there’s so much power in what you’re talking about and there’s so much confidence in it. And that’s why we’re in this position, you know what I’m saying? We’re in this position to tell them what matters and what doesn’t matter. 

And I’ve seen a lot of folks and not just in ethics and compliance, I mean, in my previous life, I was in a lot of different board meetings. And you can see people come in sort of this sheepish, almost hiding behind, you know, their notes, or whatever, that gives off an energy that ends up kind of creating the self-fulfilling prophecy of like, “What is this person even doing here?” Like, we know what’s important, we know what’s not important, and we can inadvertently create this self-fulfilling prophecy of trying to like justify our role. And then we’re in the same breath, you know, confused why we’re looked at as a cost center. Well, you’re acting like a cost center. You’re not acting like somebody who’s, you know, I’m fighting on this side of the war, I’m fighting on this side of the battle, you can trust me that all my troops are lined up, and I’m gonna tell you what matters, “You wanna know my game plan? I got that, and I’m happy to give it to you.”

But that kind of a posture is way different than that sort of stereotypical cost center, you know, thing that a lot of folks end up engaging in when they’re coming and presenting in front of these folks.

JoQuese: Yeah. And if I need to justify my headcount, let me show you how I’m actually doing that and how it’s impacting the business.

Nick: Exactly.

JoQuese: Right? So it goes back to that whole understanding the business and understanding what you’re driving from a top line because to your point, Nick, right, yeah, we can’t be viewed as a cost center. I’m also viewed as saving your butt, and so you’re not getting a $3 billion fine here, right? So like, but how am I… I can show that to you in a way that doesn’t have me sitting here saying, “Well, we did A, B, C, D, E, F, G, H, I, J, K, this quarter.” Right? And that’s just, yes, we can come up a little bit in how we’re displaying.

Dan: Yeah, I agree with that. I agree with that 100%. I saw a comment in the chat a while back, before the sevens, I think. I think it was…it started with someone named Tammy, I didn’t catch the last name. But, you know, it said that, you know, sometimes people talk about compliance as a department of no, N-O. And that can’t be that…you can’t be that, right? You’ve got to show all your strategic partner to the business and how you’re adding value. And that’s exactly what you’re saying, JoQuese, so I agree with that 100%. You know, that’s part of putting together an effective report to the board, and then they’re gonna look at you differently than they would if you come in and kind of sheepishly just try to justify your existence. So I couldn’t agree with that more.

Matt: Yeah, I think, JoQuese, you could probably run for congress based on the number of claps and enthusiasm you’re getting…the audience here.

JoQuese: That’s a strong no. That’s a strong no.

Matt: …Let me switch gears just a little bit to something a bit more practical. For 35, 40 minutes now, we have been talking about reporting to the board. How is it different if you are reporting, say, just to the executive team, the CEO, CFO, and whoever might be more hands-on? Their in-house people, not the board. Is it a different presentation? Does it happen at different intervals if you present different material? Doesn’t happen at all? Dan, what’s it like at Corning, and then I’ll ask JoQuese that too?

Dan: Yeah, yeah. So, you know, I do think it’s different. I think it’s, you know…there are aspects that are similar, but in my experience, it’s a deeper level of detail, you know, there’s more back and forth. So, an example I can give is, you know, we do a quarterly kind of governance council meeting for Corning, that I do with other senior C-suite leaders, but, you know, not involving the board, right? And that one is a much more informal, obviously, less about a kind of, you know, nice PowerPoint presentation and discussion and more about a roll up your sleeves, you know, priorities and objectives of compliance and areas of focus and soliciting their input, things that they’re seeing in the areas they’re responsible for, that then provide feedback for where I may need to focus.

So there’s a different feel to it, I think, you know. There’s still an element of ensuring there’s awareness of key compliance priorities and risks. But I think, you know, it’s more detailed, it’s more back and forth. And there’s a feedback loop, I think is important.

Matt: Is there an actual report that you give with some, I don’t know, findings, or not?

Dan: It’s more of, you know, a couple of page outline that I put together for that council on a quarterly basis, and then, you know, some metrics in our hotline cases. So there’s a report, so to speak, but it looks very different than what the board gets. Much more informal and more detailed. Then there can be other… I’ll just make the point, there can be other governance-type bodies. Like at Corning, we have something called our risk council, which is…it doesn’t involve the board, it involves a cross-section of senior leaders. And I report to them on an annual basis. And that one looks a little bit more like the board report, but again, you know, to this point of sort of understanding who you’re talking to, you know, what they represent, what functions are coming from, you tailor it to that audience. So I do think, you know, that it looks different, and that the point of it is different when you’re dealing with the senior management as opposed to the board.

Matt: And, JoQuese, how would all of that work, in your mind, say, at Medtronic, or some other company that you might have been at before?

JoQuese: Yeah, so you guys probably already know where I’m going with this, because I’m all about efficiency, right? So, for me, we have one core report that we work on, and that goes to our CEO and kind of his direct reports. Right? So that’s our quarterly report. And I’ll use the number of slides that I just finished working on, 24, right? Twenty-four slides to have our conversation. For the audit committee, we take a subset of that, because the timing is a little bit less, so we’ll drop that down to maybe half of what we’ll present for the audit committee.

And then based on the structure or organization, we then also have our operational unit presidents or our business leaders. We actually have compliance officers assigned to those business leaders. So that will get more detailed in what’s happening in my business because again, that’s where the conversation changes of, why do I care? Because what I might be talking about with the C-suite and the audit committee is more Medtronic from a PLC perspective, right, company as a whole. That business leader is concerned about what is happening in my business that I need to know right now.

And so what I wanna do there is give them a broader context because what we have to remind them of is that because of the size of our company, we are on the radar. So what’s happening in other businesses impact you whether you believe it or not. So I need you to understand that from a context perspective, but let me tell you if it’s a high-risk area in your particular business. So we kind of look at it from those three different levels. But we try to keep the same content, right? Because, again, it goes back to the more content you create, the more people that are working on that content and trying to then distill data in a way from the same sources to create different information. And we all know how funny data can get, and so we have to be very careful with that.

Nick: Well, JoQuese, you are all about effectiveness, aren’t ya?

JoQuese: I’m all about it.

Nick: That’s pretty good.

Matt: Like, what would you think about, say, the difference between reporting to the board versus reporting to an executive team? What are the sort of issues that, you know, you would want the executive team to be keeping an eye on? And, you know, how do you make sure that those kinds of conversations are still productive? I mean, what’s your take on what we’ve been chattering about here for the last few minutes?

Nick: So, I think it’s always like… I think you’re talking to me, right?

Matt: Yeah.

Nick: I was laughing too hard at my joke I’ve heard… Okay. I think it’s all about, like, how much are we zooming in? Right? So maybe at a board, it’s a super high level, and for a different, you know, organization, a different operational unit, we may need to zoom down a little bit more, and to JoQuese’s point, try to tie that into what’s going on, you know, in their reality, because, like, why does it matter? Right? Everyone’s always asking that question, particularly today, when we’re just inundated with so much stimulus, and so much data, and so much information, we’re like, “Do I need to pay attention to this? Do I need it?” That algorithm is always running in our mind.

So, giving them that information upfront, I think, is really effective. And asking that question yourself before you go and give that presentation is pretty critical as well. I would say that kind of regardless of what different levels or different groups or ethnic circles or, you know, these different committees that we’re presenting to from time to time, I think a best practice is kind of a few different things. 

One, I would always try to boil everything down to three main messages, like what are the three big things that you want someone to walk away with? That’s one. The second one is, what kind of a story can I weave together? We’re all wired for a story. And if we’re not storytelling and we’re not telling the story that our data is presenting and turning that data into actual information, then it’s always gonna fall flat and you’re just gonna sound like every other, you know, Peanuts teacher that, you know, people kind of have to sit through.

And finally, this is an important one, what is the feeling you want them to be left with at the end of your little talk? Do you want them to be scared? Do you want them to feel secure, that, “Wow, I’m so glad JoQuese or Dan is on this thing?” Do you want them to get a light bulb turned on because you’re making a connection between some sort of leading indicator data that’s going to, you know, tie down to something that they’re really facing, whether it’s great resignation, or employee engagement, or any of these other kinds of things that we talk about? And I think just even spending 5 or 10 minutes prior to any presentation, tying it down, you know, in looking at those 3 things, like, “What are my big 3 messages, you know, how can I kind of tell some sort of a story here? And what feeling do I want them to be left with?” It’s going to just pack a little bit more of a punch. And it’s going to resonate on a deeper level than if we’re just reading a bunch of words off of the page.

Matt: So, I wanted to shift gears to one more topic before we get to the Q&A part. And we’ve got a couple of questions keyed up from the audience we’ve been saving here. But let’s assume that you have some crisis happen at your company. I’m sure that has never happened at Medtronic and Corning. But if it does, if you have a crisis that you need to bring to the board, an FCPA investigation, misconduct of a senior executive, something like that. Like, what is that sort of reporting look like? And the first question, I guess, is like, is there a report? Is there a discussion about it? You know, but I’ll ask Dan first, and then JoQuese. When you’re talking about a specific issue that might be crisis-like, what’s that gonna have to be like when you’re with the board?

Dan: Yeah. First, I’m going to knock on wood, since you’re making me talk about, you know, crisis…

JoQuese: Agreed.

Nick: Burn some sage. Burn a little sage there, buddy.

Dan: Oh, so I’ve done that. No, it’s a great question. Right? And I think, you know, everything we’ve been talking about up to now is the more routine, and all of that, to me, builds the foundation for when you have to take an issue like this to the board, the crisis. Because you’ve instilled in them a sense of your credibility now. You know, to get to your specific question, Matt, to me, this is a critical, these are one of the… I’ve heard it talked about as sort of career-defining, right? So when you’re faced with an issue, and you think to yourself, “Well, you know, maybe the board doesn’t need to know about this.” And then it turns out later, you know, that you didn’t report it to the board, that could have a really negative impact on you. 

But at the same time, you know, you don’t wanna be running to the board every time you think there’s a crisis, right? So there’s definitely a balancing you have to exercise, but some things are just gonna be evident, you know, an FCPA investigation, the board should know about that.

So, in my view, I think the key to a report like that is speed, is, you know, succinctness. I don’t think it’s the kind of thing where you produce necessarily a written, you know, work product. I think the first time it’s being reported is probably orally in, you know, a telephonic meeting or something along those lines, you’re just you are communicating the key kind of information so they know about it, and, you know, not waiting until you’ve investigated for X amount of time so that you have more detail. Because if I’m on the board, I may be thinking to myself, “Why didn’t you tell me about that, you know, two months ago when we first got the subpoena?” So, it’s more important about getting to them quickly, giving them the key information.

And then I think, to Nick’s point a minute ago, you know, what you want to leave them with is, “Here’s the plan, here’s not…every step of it, but we got this, you know, we’ve pulled in great outside counsel that’s experienced in this area, we’re gonna investigate it, and we’ll come back with more information.” You know, you wanna leave them with this sense that it’s in good hands. And then, you know, go and execute on that. I think those are the key aspects of that sort of crisis report.

Matt: And JoQuese, well, what’s your thoughts on crisis reporting and that kind of issue?

JoQuese: Yeah, yeah. So Dan, something I love that you said, right, is that everything that you’re doing up until that point is building that credibility. And I think that is so important, right? Like, some of you were mentioning the confidence that I have, right? Look, nobody can tell me better than me how I’m showing up, right?

Nick: A hundred percent.

JoQuese: The information that I know in my head, right, we all know that. You’re in the role for a reason. And so building that confidence is so important and so critical because then it doesn’t feel like they need to then get in the weeds, right? So you kind of set yourself up for success. But as I was thinking about it, as you were asking that question, Matt, they’re kind of four things that come up to me. So first, no, not a written report at the beginning, right? There are some things we don’t need to write down. And I’m sure my general counsel would appreciate me saying that.

But first of all, the what, right? What are the potential impacts? What are we doing about it? And then, most importantly, what if anything is needed from them right now? That is how we start off. And then as things evolve, my promise is that I will keep you updated in a timely manner. I ask that you trust that I’m moving at the pace that needs to be kind of done for this particular thing. But if something comes up and realize that I will not get it right all the time, right? If something comes up, understand that I may run to you and give you that information. But it’s really setting that context up. I think, too, the other thing that’s important is knowing who your leaders are. So if you have a CEO that wants to know about everything, well, then you better let them know about everything, right?

Nick: Good point.

JoQuese: If you have a leader that’s like, “No, I got too much other stuff to worry about, if this becomes a problem, let me know,” then that’s how you show up. I think you have to play the middle of that. Because I’m not a person that wants to scare everyone. I love that question you had, Nick, like, “What do you want to leave them with?” I’m not here to scare you, right? I’m not here to come from a place of no, we’re here to be partners and collaborate and make sure we’re mitigating risk, right? Things are going to happen, but I need you to know that when I am saying something, when I’m escalating something, it needs to be escalated. But I will also appreciate how you are as a person, because we all have different ways that we show up and ways we need information.

Matt: Sure. Nick, what’s your take here on having productive conversations and briefings about crises?

Nick: Yeah, I think, you know, just to add to what JoQuese and Dan just said, I think telling them about it, and telling them kind of how it’s probably going to go is helpful. So we have to do this from time to time, if something goes wrong in our own business, and we’re presenting to our own board, we can tell them what’s going on, tell them what the plan is. And then I always try to say like, “Worst case scenario, this means X, best case, it’s Y. I think it’s probably going to be something like this, and I’ll keep you updated on it.” That at least kind of contains it and draws, like, a little bit of, like, a barrier around it. And they’re not just like in a panic of, you know…because we all have that negativity bias, right? Like, we fill in the gaps, like, the worst case scenario, whatever.

So in that explanation and in the calmness that you have the potential to convey there, you can really convey a lot of confidence to them that A, you know what you’re doing, and B, like, “Okay, hey, I got this. And I’ll keep you,” to JoQuese’s point, “I’ll keep you posted on what’s going on.” Like, the worst thing is when someone says, “Hey, I gotta raise the alarm.” And like, you’re like, “What are we talking about? I have no idea. Like, is the company burning down? Did somebody stub their toe? Like, how big of an issue is this?” You know what I’m saying? 

So, giving some context on the size of it, you know, giving some context on, like, what the goalposts are around likely outcomes and how you think it’s gonna go and how you’re gonna basically, you know, kind of guide through the process, I think can allay a lot of fear. And that’s kind of the game that we’re in, right? We’re in this sort of risk management, fear management, confidence brokerage game at some level.

Matt: So I want to get to a couple of other questions from attendees, we haven’t actually slipped into the conversation yet. Where was one? How do you report to the board when some members might be very well-versed in the industry and compliance and some members aren’t, and this might be the first time they’re ever thinking about compliance issues, but you have to span both audiences? How do you try and bridge that gap? I’ll ask Dan first, and then JoQuese. What advice would you give?

Dan: Yeah, you know, that’s difficult, because, you know, you don’t wanna overwhelm the folks that know it but underwhelmed the ones that don’t. One of the things I’ve done that I think would be helpful in that capacity is around how you structure what you’re reporting. And so we have in past reports kind of laid out, “Well, these are the…” To educate those folks who are not knowledgeable, lay out, “Well, here are the key aspects, and the DOJ has given us, you know, a treasure trove of guidance over the last few years. So here’s what the DOJ has said are the hallmarks of an effective compliance program, here are the basic elements, and then here’s how at Corning we’re meeting those.” You know, you can educate them on how you’re in line with the expectations of the regulators, for example, to help them learn a little bit more about compliance.

Now, if you truly have some people that are just absolutely new and then others who are well experienced, I personally would see if you could have a, you know, separate discussion with those new folks and give them that foundational information and some background. And, you know, at Corning, we have that, we have sort of a, you know, new director orientation where they’re given background on things. So I think, ideally, you know, you find an opportunity or you create an opportunity to do that separately so that, you know, you’re not kind of annoying the other board members who know all that. But, you know, I think using kind of, like, we’ve talked about, industry benchmarks or using some background so that then they get a mindset or a framework of, “Okay, you know, what is a corporate compliance program all about?” And then you educate them on your specific program and how it fits. That’s how I would come at that, to try to educate them.

Matt: JoQuese, I actually I wanna give you a different question, just in the interest of time because I think you’d have something good to say here. Somebody writing in asking, how much should compliance engage with day-to-day business and other business units? Our team is currently expected not to engage, they just present the risk, let the business run itself, and then audit to see if the business has done enough to address the risk. What should I do? What would you think of that kind of situation?

JoQuese: Yeah. So I think unfortunately that’s an unfortunate situation. I think at the end of the day, right, there’s…as someone who’s supposed to understand the risk of your business, the best way to get that knowledge and understand the business is to actually be in the business and sit at the table and understand the strategic conversations, understand where some of the challenges are. It has to be a partnership. So that’s what I would say, try to get in front of those leaders, have that conversation of the why. Because a lot of people think you’re just trying to get in just so you can tattletale. That’s not the point.

Matt: Yeah, I think that is invaluable experience to have some stint in inside sales, or the customer call center, or something like that. Always gives people such a grounded experience. The last question I’ll sneak in here is, how do you set realistic expectations for timeframes? Because being new to the organization, cleaning up messes to introduce best practices, I tend to put a lot of pressure on myself to show that I’m available, but everybody seems to have a fire that needs to be put out yesterday. How do you deal with this? I’ll ask Dan, very quickly, and then JoQuese. It’s got to be maybe about 35, 40 seconds each. But what would you say to that? And then Nick…close.

Dan: I mean, I think, you know, that’s what I kind of said earlier, right? That’s the struggle of a job like we’re in is how do you balance the daily fire with the strategic objectives you’re trying to accomplish? I think it sounds like the question, you know, part of it is boiling it down to what are the… We have this concept we use a Corning called the vital few, like, what are the key three things I really need to focus on? And then advance those strategically recognizing, you know, you can’t do all those things. And you’re just gonna set up yourself to fail if you try to do too much in too short a time.

Matt: JoQuese, what do you say?

JoQuese: I’ll be quick here, you gotta know your top risk, and you gotta start from there. You cannot do everything that doesn’t…it doesn’t even make sense to try to set yourself up for that. Identify your top risk, identify your 30-60-90 plan, communicate that, set those realistic expectations, and go from there.

Matt: And Nick, we’re just about out of time. So I don’t know if you have any other final thoughts or a wrap-up you want to give, but what do you say?

Nick: I say that this was a good one. So if this is your first time coming to the EthicsVerse, share it with your friends, we do this every single week at 12:00 Eastern Time. EthicsVerse episodes, this is the kind of vibe that we like to have. Super thankful for Dan, super thankful for JoQuese for joining us, Matt, as always, you are the man. I mean, this chat has been crazy. We got like 1000 comments in it.

If this was a great session for you guys, drop a one as a thank you to JoQuese and Dan, you guys were awesome. We learned so much from you. And we’ll be circling back with recordings and the new schedule. Our team sent us the new schedule, again, we have some really great episodes coming up, some more deep dives. If you have ideas of other topics you’d like us to do, please drop them in here. We have a ton of content to produce. It’s great to get other thought leaders involved and pick their brains about what’s working and what’s not working so that we can address our challenges.

Our biggest opportunity is right now before us. We have a once-in-a-career opportunity in ethics and compliance and human resources to really elevate because all the stuff we’ve been talking about for the last 10 or 15 years are coming top of mind for everybody. Whether it’s workers, whether it’s managers, whether it’s execs, everyone’s lightbulbs are starting to turn on. And we’re strategically positioned to really start elevating and changing the integrity of our workplaces, making that more authentic, and improving the employee experience so that we can bring our whole selves to work. That’s really what this is about at the end of the day. So thank you all for joining us on the EthicsVerse. Thank you, Matt. Thank you, Dan. And thank you, JoQuese. This was awesome. My pleasure.

Matt: All right.

Dan: My pleasure. Thank you very much for the opportunity.

Matt: Thanks, everyone. Have a good day,

Dan: Take care, everybody.

Nick: Bye, everybody.