Wildly STRATEGIC Compliance Officer Workbook - Learn The Secrets of Strategy and Planning To Become An In-Demand Business Asset PDF

Wildly
STRATEGIC
Compliance
Officer
Workbook
LEARN THE SECRETS OF STRATEGY AND PLANNING TO
BECOME AN IN-DEMAND BUSINESS ASSET
Kristy Grant-Hart
with Donna Boehme
Brentham House Publishing Company Ltd.

Covent Garden
WILDLY STRATEGIC COMPLIANCE OFFICER WORKBOOK
Copyright © 2017 by Kristy Grant-Hart.
No part of this book may be used or reproduced in any manner whatsoever without written permission
except in the case of brief quotations embodied in critical articles and reviews. For information and
permission please contact:
Brentham House Publishing Company
71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
Brentham House Publishing Company books may be purchased for educational, business or sales
promotional use. For information, please email the Special Markets Department at
Info@BrenthamHouse.com.
FIRST EDITION
A CIP Record of this book is available from the British Library.
ISBN: 978-0-9934788-3-3 (soft cover edition)
ISBN: 978-0-9934788-4-0 (electronic edition)
Praise for the Wildly STRATEGIC Compliance Officer Workbook:
“I’ve worked with hundreds of compliance professionals, at companies all
over the world. The true standouts are the ones who can plan, articulate, and
consistently deliver on strategic compliance goals. Wondering how you can
extricate yourself from the day-to-day firefighting and have real impact – on
your company, in your career, and even within the compliance industry?
Kristy’s highly engaging and very useful workbook will walk you through
how to start making the right strategic decisions so you, too, can be wildly
effective in your role.”
- Kirsten Liston
Founder, Rethink Compliance
"Kristy Grant-Hart has once again provided the compliance profession with
an easy-to-use reference guide which allows you to think through large,
eponymous and difficult risk management issues. Her workbook provides
both real world examples and key forms, which document the decision-
making calculus which you can use to worth risk issues. The universality of
the forms makes this Workbook a key resource for every compliance
practitioner, risk management professional or business leader struggling to
understand risk and its management for a more efficient and profitable
business."
- Tom Fox
The Compliance Evangelist
“This is not another theoretical, high level book that speaks ‘AT’ you. This
one walks the path beside you, guiding steering and advising. Meaningful and
relevant throughout, full of great examples and advice. I love the simplicity,
broken into bite-sized chunks that we can all relate to. If nothing else, this
should be your first stop on the Compliance & Ethics reading platform as
your foundation for your program."
- Susan Du Becker
Cisco Systems, Global Compliance
Contents
Introduction: A Tale of Two Compliance Officers
The Difference
Why Every Decision Is a Strategic One
Our Compliance Journeys
What This Book Will Do for You
My Notes and Ideas for Implementation
Chapter 1: Knowing Who and Where You Are
What’s Your Type, Baby?
Knowing Your Type
Riding the Compliance Wave
Chapter 2: Choosing Risk: Do You Really Want to Eat the Whole Elephant?
The Elephant in the Room
Defining the Risks
Here’s Your Chance
A (Wo)Man with a Plan
Chapter 3: Come Join Me in My Vision
Creating Your Three-Year Vision
Where Do I Start?
Where We Are Now Versus Where We’re Going

Here’s Your Chance:
Creating Your Year One Goals
The Monthly Compliance Dashboard
Chapter 4: I Want money, That’s What I Want: Successfully Engaging the Board and C-suite to Get
Budget and Resources
Putting It Together
Chapter 5: Finding and Developing Sources of Power
Covert Power, Influencers and Named Leaders: Identifying the Power Sources
The Four Primary Motivators
Leveraging the Primary Motivator with the Power Sources
Finding the Primary Motivator of Each Power Source

Chapter 6: When Disaster Strikes, a Strategic Response is Critcal
Keep Calm and Carry On
Who’s Got Your Back?
Never Waste a Good Crisis
Chapter 7: What Does Success Look Like?
Moving Targets
Remember Your Mission
Every Battle Is Won Before It Is Fought

About the Author
Acknowledgments
For my beloved husband, Jonathan Grant-Hart. You are truly the one in
whom my soul delights.
INTRODUCTION
A Tale of Two Compliance Officers
“Every battle is won before it is fought.” - Sun Tzu
O ncompliance
the same day three years ago, Jaleel and Rashanda began work as
officers. Each was newly in charge of the compliance
program for a regional chain of fast food restaurants. Both fast food
chains had recently gotten into trouble for ethical failures, so both were in
crisis. Jaleel and Rashanda were both excited by the opportunity to make
their company better, and each was entirely committed to doing the best job
possible. But what happened next changed everything.
Jaleel’s Experience
Jaleel came in on day one not knowing what to expect. He’d researched the
company and spent his first few days meeting the management and learning
about their priorities. He carefully constructed a three-year plan, and at his
first board meeting, he presented his vision for each area of the compliance
program. He told the Board members what to expect, and showed them his
goals and milestones. The Board agreed with most of it, but questioned some
of the spending on the third-party due diligence program and online training
costs. Jaleel amended the three-year plan and sent a re-focused budget based
on the Board’s changes. The Board approved the budget and year-one goals,
and Jaleel went straight to work.
Over the rest of the year, Jaleel felt battered by the barrage of bad press the
restaurant chain received. He responded to these crises, but once each fire
was out, he’d diligently work on the projects he had highlighted as his
intended year-one accomplishments. At the end of year one, Jaleel went to
his Board meeting proud to highlight the third-party due diligence platform
and process he’d implemented. The Board asked why the Code of Conduct
hadn’t been updated, and Jaleel reminded them that he’d designated the Code
rewrite as a year-two priority, and that he’d begin working on it immediately.
The Board was happy.
Jaleel rolled out the new Code of Conduct in year two, and at the end of year
three he was able to compare his past three-year plan with his
accomplishments. The Board was thoroughly impressed. As Jaleel presented
his subsequent three-year plan, he asked for a bigger budget. He wanted a
dedicated training team member who could go to the various locations to
provide in-person training. The Board approved his new plan and his
expanded budget. Jaleel felt appreciated and knew he was trusted. He was
happy to continue at his job.
Rashanda’s Experience
Rashanda’s experience turned out quite differently than Jaleel’s. Rashanda

came into her job excited and ready to deal with the crisis at hand. She
jumped head-on into the problems, working with management to handle the
PR crisis and to stabilize the ship. Three months into her job, Rashanda
reported to the Board. She told them how well she’d handled the crisis, and
they agreed. She said she would be focusing on making a good compliance
program according to the seven elements of the Federal Sentencing
Guidelines. The Board was happy.
Over the rest of the year, Rashanda felt battered by the barrage of bad press
the restaurant chain received. She responded to each crisis diligently. Every
time she finished dealing with a crisis, she returned to her email, which
seemed a never-ending stream of requests. She responded to each one, and by
the end of the day wasn’t sure what she’d accomplished. Rashanda decided to
work on the anti-bribery policy, and on creating a new, more modern type of
online training, but it was hard to put the time into both the policy-writing
and the new training.
At the end of year one, Rashanda went before the Board. She presented on
how well she’d handled the crises. The Board members agreed that she’d
done a good job with the crises, but then wanted to know what she’d
accomplished in the other parts of the program. She told the Board about the
nearly completed anti-bribery policy, and promised them new online training
in year two. The Board seemed disquieted but still gave her their respect.
Rashanda successfully rolled out the anti-bribery policy and online training in
year two, but found herself once again mired with responding to email,
internal investigations and responding to the business. The whistle-blower
hotline project took months to begin, and at the end of year three, Rashanda
had to tell the Board it had not yet been completed. Rashanda then asked for
a dedicated training team member who could go to the various locations to
provide in-person training. The Board declined. They hadn’t seen any real
difference in the compliance program in the past three years, and they’d lost
faith in Rashanda’s ability to deliver.
Rashanda finished year three feeling defeated and underappreciated. She’d
worked so hard, but the Board didn’t seem to take notice of it. She began to
think about looking for a new job.
The Difference
What was the difference between Jaleel’s and Rashanda’s experiences? Both
were equally well-qualified and enthusiastic about their job. Both were
similarly skilled and had similar backgrounds. But Jaleel took a strategic
approach to the position, while Rashanda simply put out fires and responded
to whatever was immediately in front of her.
Jaleel started by creating a plan to present to the Board. The Board liked most
of the plan, but provided feedback on where Jaleel should change it. In this
way, when Jaleel presented the amended plan and budget to the Board, he got
sign-off and buy-in on his vision. He ensured that from the beginning he had
clear goals and deliverables. The Board expected him to meet the goals and
deadlines he’d presented. They did not have their own private expectations of
what he was to accomplish, as Jaleel had set the stage for his success.
Because Jaleel had specific goals, his focus was not splintered into working
on many separate projects. While he had to deal with each crisis when it
came up, when he had down time, he went back to accomplishing the things
he’d highlighted as each year’s priority. Therefore, by the end of each year,
Jaleel accomplished what he’d promised, which gave the Board more faith in
him. His energies were focused on success, and at the end of the three years,
the Board knew if they gave Jaleel the resources he requested, he would use
them to accomplish the next set of objectives he set out.
Rashanda’s experience mirrors that of so many compliance professionals.
She went into the job excited and ready to make a difference. When a crisis
came up, she responded to it, but when it died down, her energies and
concentration were splintered on multiple projects, so no single project was
completed quickly. Because she hadn’t created a vision for the Board to buy
into, each Board member came up with their own unspoken expectations of
what Rashanda should be able to accomplish. When Rashanda didn’t deliver
on their unvoiced expectations, they lost faith in her.
At the end of the three years, when Rashanda asked for additional resources,
the Board said no because they felt she had misspent resources they had
already given her. She wasn’t able to point to many achievements, so the
Board declined to support her new requests.
Understandably, Rashanda felt bitter and unappreciated. She had worked just
as hard as Jaleel, but her work wasn’t highly valued, and her contributions
weren’t as visible. The difference between Jaleel’s and Rashanda’s
experiences came down to planning, setting expectations, and strategically
delivering results. Hard work by itself won’t make you successful as a
compliance professional. Your work must be directed, focused, and strategic
in order to bring forth results that get you appreciation and promotion.
Hard work by itself won’t make you successful as a compliance

professional. Your work must be directed, focused, and strategic.
Why Every Decision Is a Strategic One
There are many definitions of strategy. One source defines it as, “a high level
plan to achieve one or more goals under conditions of uncertainty.” Another
calls it, “The art and science of planning and marshalling resources for their
most efficient and effective use.”
As two experienced compliance officers who have spent a combined total of
over 30 years in the trenches, we believe that being wildly strategic in all
things is an essential attribute of a successful compliance officer for several
reasons.
Without a doubt, the mission of a compliance officer is complex and
extremely difficult. The strategic compliance officer must have the skills and
know-how to marshal and leverage organizational resources (including
engaged individuals), and to design, establish and manage a multi-
disciplinary compliance program that works to find, fix and prevent
misconduct or other serious organizational problems.
With so many moving parts and individuals involved at every stage of an
effective compliance program, the successful compliance officer and her
team are called upon to make hundreds of decisions and judgments every
week, both large and small, and prioritize multiple activities and projects.
Doing this effectively and powerfully is at the heart of being a wildly
strategic compliance officer.
The process of establishing a compliance and ethics program creates a “new
order of things” on many levels, and this may impact existing sources of
power in the organization in ways that may be perceived as threatening. The
wildly strategic compliance officer must be prepared to respond to challenges
and attacks on all things compliance in a careful and strategic manner in
order to ensure that the Compliance team and program are successful.
Our Compliance Journeys
We couldn’t be more excited to share with you our strategies for developing
and maintaining a world-class compliance and ethics program tailored to the
needs of your business.
Kristy’s Compliance Story
I’ve been involved in some of the largest and most interesting compliance
investigations and monitorships in the world, but I didn’t start there. I began
my career wanting to be an actress and producer in Hollywood. At 18, I left
the cold confines of upstate New York to head to Hollywood to attend
UCLA’s School of Theater, Film, and Television.
After graduating, I got a job at Paramount Pictures, working as an
administrative assistant to the executives turning screenplays into movies. It
was fascinating, but I was looking for a more dynamic environment than an
office could provide. I left Paramount and moved to television production,
working on programs for Fox FX Television and Sony TV. After a couple of
years in film and TV, my goals changed, and I decided to go to law school. I
toiled my way through Loyola Law School in Los Angeles, working full time
during the day as a legal secretary and attending classes at night. After
graduation, I joined the international law firm of Gibson, Dunn & Crutcher,
working in their Los Angeles office and specializing in anti-bribery
investigations and litigation.
Early in my legal career, I worked on the monitorship of the Siemens
Corporation, which had been stung with the largest bribery fine in history, as
well as the monitorship of a major pharmaceutical company.
In 2011, Gibson Dunn sent me to London to work on an internal investigation
of one of the banks caught up in the LIBOR rate-fixing scandal. I was
supposed to stay only two years, but I fell in love, married a wonderful
British man, and decided to stay in London. After nearly six years at Gibson
Dunn, I left to become the Director of Compliance for Europe, the Middle
East, and Africa for the world’s largest business travel company, Carlson
Wagonlit Travel. There I was in charge of compliance in nearly 100
countries.
Ultimately, the siren song of entertainment called me back. I became the
Chief Compliance Officer for United International Pictures, the joint
international distribution company of Paramount Pictures and Universal
Pictures. As the first full-time compliance professional at United International
Pictures, it was my job to build a compliance program. I ran compliance for
more than sixty countries on four continents. As I travelled the world to
perform training, I was inspired by the commitment of the people in the
company to compliance and ethics.
In 2016, I created Spark Compliance Consulting, an international consulting
firm specializing in designing, implementing, and optimizing compliance
programs for multi-national companies. Spark focuses on pragmatic,
proportionate, pro-business compliance and ethics solutions, and on ISO
37001 anti-bribery management systems certification.
In addition to my job at Spark Compliance, I am an Adjunct Professor at
Widener University Delaware School of Law, teaching Global Compliance
and Ethics to their Masters of Jurisprudence students.
Along the way, I’ve been nominated for awards, including a nomination as
part of Gibson Dunn for Best Regulatory Law Firm of the Year from
Thomson Reuters in London, and Chief Compliance Officer of the Year at
the Women in Compliance Awards. I’ve been featured in the Wall Street
Journal, Compliance Week, FCPA Blog, Risk Universe Magazine, Corporate
Financier, Ethikos, and on the cover of Compliance and Ethics Professional
Magazine. I’m a current Board Member of the Society of Corporate
Compliance and Ethics, on the Editorial Board of the Compliance and Ethics
Blog, and on the Advisory Board of Convercent.
I have delivered keynotes and corporate training in more than thirty-five
countries on five continents, performed countless international internal
investigations, and researched the laws in more countries than I can name. I
have implemented compliance programs in places where none existed, and
strengthened compliance programs where a complete breakdown had created
chaos and public punishment of the company.
I met Donna Boehme at the beginning of my compliance career. She was
presenting at the first European Conference of the Society of Corporate
Compliance and Ethics, and I was mesmerized by her command of the room.
She clearly knew her stuff. Six months later, I was in Washington. D.C. in the
Hilton Hotel’s lounge during the SCCE International Conference. Donna was
sitting with her husband, and summoned all of my courage up to go talk to
her. I told her how much I’d enjoyed her presentation in London, and she
invited me to join her for a drink. I talked to her and her husband for what felt
like hours. We were fast friends immediately. I feel lucky to have met her,
and even luckier to collaborate on this book with her.
Donna’s Compliance Story
I was right to be excited about meeting Donna. She is an internationally

recognized authority in the field of organizational compliance and ethics,
with more than twenty years of experience designing and managing
compliance and ethics solutions within the United States and globally. Like
me, Donna started as a lawyer in private practice at Fried, Frank, Harris,
Shriver & Jacobson in New York. She holds a J.D. from New York
University School of Law.
Donna is Principal of Compliance Strategists LLC, where she has advised a
wide spectrum of private, public, governmental, academic, and nonprofit
entities. She serves on the boards of RAND Center of Corporate Ethics and
Governance, and Rutgers Center for Government Compliance and Ethics.
Donna is a past Board member of the Ethics and Compliance Officer
Association. She’s also a past Board member of the Association of Corporate
Counsel – Europe, and past Advisory Board member of the Society of
Corporate Compliance & Ethics. She was a charter member of the
Conference Board Council on Corporate Compliance & Ethics, the
Compliance and Ethics Leadership Council of the Corporate Executive
Board, and a past member of the Ethics Resource Center (Fellows Program).
Donna’s extensive on-the-ground experience includes serving as the first
global compliance and ethics officer for two leading multi-nationals. As
Group Compliance and Ethics Officer for BP PLC (London), she established
the company’s first global compliance and ethics function in 2003, including
the company’s global code of conduct, covering 100,000+ employees in over
100 countries (translated into 34 languages), a dedicated global compliance
and ethics team, and a ground-breaking network of 135+ senior–level
business ethics leaders.
At BOC Group (now part of Linde Group), she established the company’s
first global compliance and ethics function, and its first global code and
program, “Living Our Values.” Many elements of the programs designed and
developed by Donna are viewed as best practice in the field, and have been
adopted in various forms by leading companies.
Donna is a regular columnist with Corporate Counsel, Corporate Compliance
Insights, ComplianceX, and the FCPA Blog. She has been published and
quoted widely on issues in the field including in The Wall Street Journal, the
Boston Globe, the Washington Times, Reuters, the Economist, the Financial
Times, Chicago Tribune, Bloomberg, New York Law Journal, Board IQ and
Compliance Week. She is a frequent speaker for business and professional
groups, including keynote speaker for Compliance Week Europe (Brussels),
Ethics Practitioners Association of Canada (Ottawa), International Financial
Executives Leadership Forum (Montreal), and Network for Good Business
Ethics and Non-Financial Reporting (Copenhagen).
She has advised departments of the Canadian government, has spoken at the
House of Lords (London) on the design and implementation of global
compliance programs, and has served as a member of the U.S. delegation to
the 9th annual Rand-China Reform Forum (Beijing). She has participated in
working sessions of the OECD Working Group on Bribery (Paris), providing
input for the OECD Good Practice Guidance on Internal Controls, Ethics, and
Compliance, and has also presented to government agencies and regulators,
including the U.S. Securities and Exchange Commission in connection with
the final rules for the Dodd-Frank Act whistleblower program.
Donna is a guest lecturer at various business and law schools, including New
York University Stern School of Business. Donna is also co-chair and co-
founder of the RAND Compliance and Ethics Symposia series, an important
vehicle of thought leadership for the profession. She has been cited and
interviewed as the “Lion of Compliance” because of her tireless work to
increase understanding of the role of the chief compliance officer (CCO), to
improve the governance model for CCOs to include empowerment and
independence, and to position CCOs for success.
Donna is no stranger to media. She was featured in the award-winning PBS
documentary, “In Search of the Good Corporate Citizen.” She has been
frequently interviewed by the media as an authority on organizational
compliance and ethics, including Dow Jones, Fox News, Compliance Week,
Canadian Business Network, Corporate Compliance Monitor and Progressive
Radio Network. She was named to The Top Thought Leaders for
Trustworthy Business lists in 2014 and 2015 by Trust Across America, and is
a recipient of the 2014 SCCE International Compliance & Ethics award for
extraordinary contributions to the field. She was named as Who Compliance
Professionals Should Follow on Twitter in 2013 by ComplianceX.
What This Book Will Do for You

This book was written to help you create a winning strategy for your
compliance program, and to generate a way to sell your ideas so you get buy-
in from the business. We want you to have the experience of being a
tremendously successful professional, and this workbook will help you to do
it.
When my first book, How to Be a Wildly Effective Compliance Officer, came
out, Donna Boehme contacted me to talk about it. She owns a consulting
company called Compliance Strategists, and she said she thought strategy
was the missing link in many people’s professional development. She wanted
to write a book with me to teach compliance officers how to be more
strategic. As we established the concepts, we realized that this book should
be a workbook. We wanted to offer exercises, quizzes, templates, and
examples, to help each compliance officer make their own unique plan.
We’ll start by defining who you are and where you are. Specifically – how do
you like to work and collaborate, and where is your company in the
compliance cycle?
Chapter 2 will help you to define the risks you own within your department,
and perhaps more importantly, the risks you don’t own. From there we’ll get
into the nitty-gritty of creating a three-year plan with one-year goals, and a
monthly Compliance Dashboard.
After you’ve completed the framework chapters, we’ll discuss power – how
to find and cultivate it, and how to use it to your advantage. In Chapter 6
we’ll tackle preparing for and handling crisis. Lastly, we’ll take a long look at
answering the eternal question, “Am I a good compliance officer?”
The workbook you’re holding in your hands is the result of years of
experience, workshops, webinars, and seminars relating to the subject of
strategy and planning. We’re thrilled to help you get to the next level, with a
plan and a way forward to make your program shine.
Let’s begin at the beginning with a fundamental question: Who are you?
My Notes and Ideas for
Implementation
________________________________________________________________________
CHAPTER 1
Knowing Who and Where You Are
ristotle said that knowing yourself is the beginning of all wisdom.

A Knowing who you are and how you work is critical to being a Wildly
Strategic Compliance Officer. But along with knowing your strengths,
weaknesses, and working style, you need to know where your organization is
in the compliance cycle. This chapter will help you to identify your
Compliance Type and where your company is along the Compliance Wave.
What’s Your Type, Baby?
All of us enjoy working in a way that suits our personality and proclivities,
but is your natural way of working helping you to be a Wildly Strategic
Compliance Officer? Perhaps you love to collaborate with other functions, or
perhaps you’re the type who likes to run everything yourself. Identifying
your type can help you to see your own strengths and weaknesses, which in
turn will allow you to strategically identify how you work with the business.
Self-knowledge is a critical first-step to becoming a Wildly Strategic
Compliance Officer. If you know how you are likely respond to a situation,
you can evaluate whether your natural response is the best response. To find
out your compliance officer type, take the following quiz.
Quiz: What’s Your Type?
There are no correct or incorrect answers to the following questions. Each

type has its strengths and weaknesses, and each type is helpful in certain
situations and problematic in others. For each of the following questions,
answer A, B, C or D. Be honest – no one will know the answers but you!
Question 1: The board just found out about a data breach that has
compromised the health records of 10,000 patients involved in a drug test
your company is conducting. Do you:
Answer A. Immediately declare Compliance will handle this.

Answer B. Tell the board you tried to warn them last year about cyber
threat, and this is what happens when they don’t listen.
Answer C. Go in with a plan you developed with Information Security
and Information Technology that will stop the leak and let you research
whether you need to disclose the breach to the regulators.
Answer D. Continue to work on your risk assessment for next year –
you haven’t explicitly been assigned data privacy.
Your Answer: ___

Question 2: You are the Chief Compliance Officer for an international food
company that buys raw produce from farms using migrant labor. The
European Union has passed a law that will come into force in 18 months that
requires supply chain audits to detect trafficked labor in supply chains. Do
you:
Answer A. Immediately outline a plan where Compliance is in charge of
the risk assessment, training, an anti-trafficking policy, and remediation
of any violations of the new policy.
Answer B. Tell the legal department there is a new law coming into
force. Laws are their responsibility.
Answer C. Prepare a plan with the Procurement and Human Resources
Departments to train the local managers on the ground, and a request
for a budget so you can get online training pushed out to everyone on
the red flags associated with human trafficking.
Answer D. Ignore it until the law comes into force in 18 months. It may
change in the interim anyway.
Your Answer: ___
Question 3: At the annual leadership meeting, the CEO says ethics and
culture are critically important, and they should be a focus for the upcoming
year. You:
Answer A. Decide Compliance should roll out an Ethics and
Compliance Week event next year, then schedule an appointment with
the CEO for the day she gets back in the office to discuss your plan.
Answer B. Ask the Director of Human Resources why ethics and
culture haven’t been handled effectively in the past.
Answer C. Call the Director of Human Resources to plan for a series of
two-minute videos highlighting the company’s values, and brainstorm
how the CEO, Compliance and HR can work together to highlight
ethics at the company.
Answer D. Let this one pass – it was one statement, and it wasn’t even
made directly to Compliance.
Your Answer: ___
Question 4: It’s your first day on the job as the company’s first compliance
officer. The Office of Foreign Asset Control (OFAC) fined your firm $1.9
million for violating sanctions laws on exports to various Middle Eastern
countries. You:
Answer A. Come in with a contract signed for sanctions-screening
software and a pre-paid retainer to the best law firm you can find.
Answer B. Call a meeting with the existing legal team to find out why
they didn’t catch the problem in the first place.
Answer C. Call a meeting with the legal team to figure out how you can
share some of their resources in researching other sanctions which may
cover the business.
Answer D. Are sure it’s fine – after a $1.9 million in fines, and the
hiring of you to work in compliance, you’re sure the major problems
with sanctions are under control.
Your Answer: ___
Question 5: You’ve been in charge of the compliance department for four
years, and in the last twelve months, there hasn’t been a major issue or
problem. You:
Answer A. Begin your thorough risk assessment exactly as scheduled,
only this time you use a stricter methodology to ensure you haven’t
missed a thing.
Answer B. Email the third-party service running your whistle-blower
hotline to complain that they aren’t doing a good job with their
advertising/promotional material, since you haven’t had any calls.
Answer C. Request half-hour phone meetings with the heads of Internal
Audit, Legal and Human Resources to see if there are any areas in
which you can collaborate to work improve the program for next year.
Answer D. Nothing – you’re doing an awesome job!
Your Answer: ___
Add Them Up
Add up the number of A, B, C and D answers you gave. Then read below to
discover your Compliance Leadership Personality.
A Answers ___
B Answers ___
C Answers ___
D Answers ___
Mostly As: Authorities
You know exactly what you’re doing. You love being in charge, and you
know that no one can do anything better than you can. You’re skilled, you’re
smart, and you hate it when other people interfere with your ability to get the
job done right. You’re the Authority, and you like it that way.
Strengths: Authorities are great planners. They love to be in charge and to
make and execute the plans they have created. They can be counted on and
boards and C-suites love their proactive approach to their job.
Weaknesses: Compliance is an inherently complex job requiring the input
and buy-in of many different areas of the business. Authorities can pigeon-
hole themselves, making it much harder to get things done. Their initiatives
may be blocked if they appear arrogant, which will fail to get the buy-in
required from other members of the business.
Advice: If you’re an Authority, be on alert to where other people and
departments can help you out. Be proactive in searching out others to whom
you can assign various parts of your tasks. Working together helps others to
understand the compliance function, and this can make you much more
effective.
Mostly Bs: Blamers
If the business had just done things your way, they wouldn’t be in this mess.
You know what you’re doing, but they just don’t listen to you. Sometimes
people and businesses get what they deserve. Hopefully next time they’ll
listen to you so that you can properly do your job. In the meantime, your
expression and demeanor clearly says, “I told you so!”
Strengths: Blamers are excellent at unwinding what happened and performing
a post-mortem review. Blamers can see what went wrong, which can be
helpful in refining the compliance program, or helping the business to avoid
the problem in the future.
Weaknesses: Blamers are often stuck in the past, looking at what happened
instead of pro-actively working to make the program better and to improve
the situation. Additionally, most people don’t like to be publicly shamed or to
have their failures pointed out, so blamers can easily become unpopular
within a team.
Advice: Separate the recognition of what happened from the personal
responsibility of others. If you’re able to opine or give advice about what to
do next time without rubbing it in or shaming others, you’ll be much more
effective.
Mostly Cs: Collaborators
Your motto is, “Let’s all get together to get this project done! If we all work
together, we’ll be better off.” You love to work with others and to get
everyone’s input and buy-in. You naturally want to involve the other stake-
holders because you know that will help each project both in terms of buy-in
and in terms of utilization of talent and subject matter expertise.
Strengths: Your ability to work well with the other functions allows
compliance to pull in the best of others. You ensure that projects are
completed efficiently, because there is no need to duplicate a skill set or
assignment in compliance if it is already being completed by another
function. You are a team player and are likely quite popular with the
business.
Weaknesses: Working with others can create a leadership void, where no one
has responsibility for getting a project or investigation completed. You may
struggle to complete your initiatives because you are relying on, and waiting
for others to do their part.
Advice: Be clear when you delegate parts of your projects so that everyone
has the same expectation as to deliverables and timing. Make sure that you’re
on the same page with everyone on your team and in the different functions
when you share responsibilities and that everyone holds themselves
accountable to deadlines.
Mostly Ds: Deflector
You think everything is going fine. It’s going so well that it really doesn’t
need input from you anymore, right? You’re happy with the way things are,
and you don’t want to rock the boat. It’s not that you’re lazy, it’s just that if
you start changing things, people may react badly. The status quo is just fine
with you.
Strengths: You are good at maintaining continuity. People know what to
expect from you and generally get what they expect. You feel safe and
comfortable, so for many, you are easy to work with.
Weaknesses: If you aren’t proactively looking after your program, it is likely
to fall behind and fail to respond properly to new risks. Your company runs
the risk of believing that the compliance function is handling problems, when
in fact it is simply ticking over day-to-day without a plan for fixing problems
in the future.
Advice: Balance your desire to maintain the status quo with a forward-
looking risk assessment and annual goals. You need to shake up your
program once in a while. Be proactive to give the business confidence that
you can handle the job.
Knowing Your Type
Once you know your type, you can look out for your strengths and
weaknesses as you create and refine your compliance program. Every type
has strengths and weaknesses, and the more you are able to compensate for
your weaknesses and highlight your strengths, the more effective you will be
at your job.
As you work through the rest of the book, think about how your type affects
your decision-making. Perhaps you need to work to add more of another type
into your behavior? The more you are able to evaluate what the best response
will be, the more effective you can become.
Every type has strengths and weaknesses, and the more you are able to
compensate for your weaknesses and highlight your strengths, the more
effective you will be at your job.
Riding the Compliance Wave
When you’ve been in compliance for a few years, you begin to notice a trend.
Investment in compliance and ethics programs comes in waves, and it can be
incredibly helpful to your sanity if you recognize that like many things,
investment and interest in a compliance program is usually cyclic. When you
understand the cycle, you can understand where your organization is and
anticipate what is to come. The cycle has four stages:
Stage One: Low Investment
A company that has never had a compliance program or has entirely stopped
investing in it begins here. Usually there is no understanding that compliance
is needed, or it is presented as an after-thought, frequently with the legal
department handling compliance in its spare time.
Stage Two: Crisis

Inevitably, because of non-investment and lack of attention, a crisis brews.
Suddenly management is shocked to learn that unethical conduct has
occurred, or a major fraud or bribery allegation has surfaced. Perhaps a third-
party or partner has misbehaved, or a sanctions rule was violated because no
one was paying attention to them.
In Stage Two, organizations begin to invest heavily in compliance. They
throw money at consultants and law firms, desperately trying to combat all of
the evils that are suddenly lurking around each corner. There is fear of the
unknown and heightened awareness. The word “compliance” begins to be
used at every high-level meeting, and the compliance program is invested in
heavily as the organization gears up for the worst: self-disclosure to the
authorities, reporting by a whistle-blower, shareholder derivative suits, or the
potential for reputational damage if the story leaks to the press.
Stage Three: Stability

In Stage Three, the organization understands the importance of compliance
and ethics, but the immediate crisis has waned. The initial firestorm of
investment has turned into a stable budget where the compliance leaders are
able to do their job properly. Requests for additional funds are thought
through intelligently, with proper consideration.
Stage Three is the nicest time to be in a compliance department.
Stage Four: Forgetting

In Stage Four, management begins to forget that they had a compliance and
ethics crisis. Perhaps the management has changed since Stage Two. Perhaps
employees have compliance fatigue such that if they have to take one more
training, they will throw the computer out the window. Perhaps even the
people in the compliance department are sick of hearing about compliance!
Stage Four is dangerous, because the people who have forgotten why
compliance is critical begin to de-invest. First they don’t want to pay for new
training, then the travel budget dries up, and lastly, the invitations to high-
level meetings disappear. Management begins to talk of other priorities, and
the momentum is lost. Compliance begins to compete with human resource
programs, charitable activities and innumerable other initiatives.
So Where Are You?
Now that you’ve read about the four stages, where is your program?
________________________________________________________________________
Knowing that you’re in Stage ____, what actions can you take to mitigate
harm to yourself and your program?
________________________________________________________________________
Knowing that you’re in Stage ___, what actions can you take in order to gain
advantage for yourself and your program?
________________________________________________________________________
________________________________________________________________________
The Cycle Begins Again
Once Stage Four’s forgetting begins, Stage One reappears, with low
investment in compliance and ethics. Inevitably, a problem occurs, which
reignites Stage Two, and the re-investment in compliance and ethics.
If we know this is the traditional cycle, why aren’t corporations better at
managing it? Why isn’t investment in compliance and ethics a consistent,
year-in-and-out priority which protects the company and saves money by
investing in a compliant and ethical values-based culture? The answer is
easy: people forget, and short-term thinking rules the day.
The good news is this: when you understand the cycle, you can see where
you are within it and know that it will inevitably run its course again. Don’t
be discouraged if you’re in Stage One or Four, and don’t be too overwhelmed
in Stage Two. Likewise, if you find yourself in Stage Three, understand that
Stage Four will come – but likewise, so will reinvestment and the
remembering of why compliance and ethics are critical for every business.
Riding the compliance wave can be difficult, but it can also be the ride of
your life.
The good news is that when you understand the cycle, you can see where
you are within it and know that it will inevitably run its course again.
Now that we know who we are and where we are, let’s continue with an
unexpected question: Do you really want to eat the whole elephant?
Implementation
________________________________________________________________________
CHAPTER 2
Choosing Risk: Do You Really Want

to Eat the Whole Elephant?
was attending a dinner party on a rainy Saturday night in London. Lewis,

I the guest next to me, queried, “So you said you work in compliance?”
“Yes,” I said. “Compliance with what?” he asked. What a great question.
My answer to that question is normally, “the law,” but for some reason that
night, his question got me thinking. Compliance with what? Yes, of course, I
work to ensure that the company is in compliance with the law, but that
answer only covers one aspect of the job.
At the time I was at the dinner party, I was the Chief Compliance Officer at
United International Pictures, the joint venture of Paramount Pictures and
Universal Pictures, distributing movies in more than sixty-five countries. I
was in charge of compliance with certain laws – specifically anti-bribery and
trade sanctions law. I split responsibility for antitrust/competition law with
the legal department. We’d decided that if there were an antitrust internal
investigation, then compliance would handle it. As soon as the investigation
became a regulatory inquiry (or came in as one), then the legal department
was in charge. But what about labor and employment law? Compliance was
in charge when there was an assertion of retaliation, but breaks, overtime pay
and compliance with local labor laws was entirely within the purview of the
human resources department and local offices.
When you think about it, the compliance department is often in charge of
ensuring compliance with some laws, but what about ethics and culture?
There is no law that requires a company to promote ethical behavior. No law
dictates the compliance department must foster a strong and compliant
culture. Even due diligence procedures, which are bread-and-butter
compliance tasks, aren’t required by a law. Proper due diligence procedures
should protect a company from getting into trouble by stopping it from
partnering with a corrupt affiliate, agent or venture partner, but that due
diligence isn’t actually required by the law. These musings lead me back to
Lewis’ question: Compliance with what?
The Elephant in the Room

There's a famous old saying that asks, “What’s the best way to eat an
elephant? One bite at a time.” It can’t really be done any other way, and yet,
as compliance officers we sometimes bite off way more than we can chew, or
don’t plan how to tackle the elephant at all, simply diving in without
considering what will happen next.
The elephant in the room with every Board of Directors is the risks faced by
the company. It is vitally important that as the compliance officer, you have a
delineated, clear understanding of which risks you own, which risks you co-
manage, and which risks are owned by other departments. There are no two
ways about this. Either you come to an understanding with the Board, C-suite
and other functional managers about risk delegation, or you are in danger of
failing or being fired.
It is vitally important that as the compliance officer, you have a

delineated, clear understanding of which risks you own, which risks you
co-manage, and which risks are owned by other departments.
One of my consulting clients works for a large national company that used to
be a governmental agency. Several years ago the country de-regulated the
industry and sold the group as a private company, completely changing the
risk profile. What used to be a protected government entity was now subject
to the laws facing every other business.
The compliance department at the new entity had to be completely revamped.
To the dismay of my client, the Board of Directors assumed the answer to
“Compliance with what?” was “every possible law.” This assumption was
never clearly stated, and so my client, the CCO, was constantly hauled into
board meetings when anything went wrong and asked, “Why aren’t you
managing this risk?” or “Why haven’t you addressed this?” The answer was,
of course, that she hadn’t been given the resources or authority to handle all
of the risks. And because she hadn’t been given the resources or authority,
but was assigned the blame if anything went wrong, she was in a lose/lose
situation.
Defining the Risks
Unless your company has a comprehensive Enterprise Risk Management

Department (which covers all risks, not just the financial ones), you should
begin by defining the large areas of risk facing your company. Below you’ll
find the beginning of a list. Please add your own risk categories, until all of
your company’s major risk categories are identified:
Bribery
Competition/Antitrust
Data Privacy
Cyber risk/Identity theft
Trade sanctions/Import/Export
Health and safety
Culture and ethics
Modern Slavery/Trafficking
Bullying
Labor and employment
Government/Permits
Travel/Kidnapping
Terrorism
Money laundering
Products liability
Supply chain management
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
________________________
If you work in financial services, you may have listed a number of banking-
specific laws you need to manage. By contrast, if you work in
pharmaceuticals, you may have listed various gift-and-hospitality laws, as
well as enhanced privacy laws and labeling laws. Perhaps you work in
agriculture, so you probably have listed water-rights and animal welfare laws.
Whatever they are, make sure you have captured the major risk areas.
Who Owns Each Piece?
Now that you’ve outlined the major areas in which your company or
organization has risk, fill in the first two blocks of the Wildly Strategic
Compliance Officer Risk Ownership Chart to determine which of these risks
you own completely, which you jointly own, and which are not yours. You
can download a copy of this chart from www.ComplianceKristy.com.
Wildly Strategic Compliance Officer Risk Ownership Chart

Risk Current Explicit Needs and
Owner Assignment Next Steps
Bribery
Competition/
Antitrust
Data Privacy
Cyber Risk/Identity Theft
Trade Sanctions/
Import/Export
Employee Health and

Safety
Customer Health and

Safety
Culture and Ethics
Modern Slavery/
Trafficking
Bullying
Labor and
Employment
Government/Permits
Travel / Kidnapping
Terrorism
Money Laundering
Products Liability
Supply Chain
Management
To give you a sense of how this works in practice, I’ve filled in the first
several lines of this form as it exists for one of my media clients.
Wildly Strategic Compliance Officer Risk Ownership Chart – Media

Mogul Company Ltd.
Risk Current Owner Explicit Needs and

Assignment Next Steps
Bribery Compliance
Competition/ Compliance for

Antitrust internal
investigations,
Legal for regulatory
investigations or
formal proceedings
Data Privacy Unclear – some

pieces are owned
by compliance,
some by
Information
Security, and some
by Information
Technology
Cyber Risks not yet

Risk/Identity Theft addressed
Trade Sanctions/ Compliance

Import/Export
Employee Health Compliance and

and Safety Human Resources
Customer Health Compliance and

and Safety local offices for
security
Culture and Ethics Compliance and
Human Resources
Documented and Understood
In our example worksheet, you can see some of these areas, such as cyber
risk, have not yet been adequately addressed by anyone. It may be that people
in the business are aware that cyber risk exists, but no concrete plan has been
made to address the risk. It may also be that people pass the risk profile back
and forth without taking ownership of the risk. This may be done out of fear
of taking responsibility, or because there are not resources available to
properly tackle the risk.
Once you’ve identified the risk buckets, your next task is to determine
whether each of the areas of risk is explicitly assigned to each owner. Write
down which functions or departments explicitly own each risk. In this
context, “explicit” means either (1) the risk is assigned to the department or
individual in a written-down policy, meeting minutes or procedures
document, or (2) everyone agrees the risk is handled by the assigned
department. Where no one explicitly owns the risk, note which functions
implicitly own the risk. A department or function may implicitly own a risk if
(1) the function is the de facto owner or responder to the risk, or (2) others
believe that the function is the owner, even though no one has ever said that
in an official document, policy, or explicit conversation.
This is how the form exists for the same media client.

Mogul Company Ltd.
Risk Current Owner Explicit Needs and

Assignment Next Steps
Bribery Compliance Yes – in the job
description and in
our anti-bribery
policy
Competition/ Compliance for Yes – separation

Antitrust internal of duties is
investigations, explicitly agreed
Legal for to and
regulatory implemented by
investigations or Legal and
formal proceedings Compliance
Data Privacy Unclear – some No – our online

compliance, some privacy policy was
Information written by Legal,
Security and some but no one is in
Information charge of handling
Technology data breach
incidents or
dealing with
regulatory changes
Cyber Risks not yet No

Risk/Identity Theft discussed
Trade Sanctions/ Compliance Yes – compliance
Import/Export runs the Bridger
checks and due
diligence, and
handles
import/export
issues
Employee Health Human Resources Yes

and Safety and Security
Customer Health Compliance and Yes – Compliance
and Safety local offices for oversees health
security and safety
complaints if they
come in through
the whistle-blower
hotline
mechanisms
Culture and Ethics Compliance and No – Compliance

Human Resources and Human
Resources work
together on
culture;
Compliance
handles
Compliance and
Ethics Week with
the help of HR
Reviewing the chart, it should be evident where Compliance has explicit

direct responsibility, shared responsibility, and unclear responsibility for all
of the major risk areas affecting your business.
Risk Assignment: The Next Frontier
Before you fill in the last column, think back to Chapter 1. Which compliance
officer type are you? You should consider your strengths, weaknesses, and
predilections before deciding how you want to fill in the last column. If
you’re an Authority, do you really want to take on all the risk managing the
data privacy program? If you’re a Collaborator, what responsibilities should
you give to Human Resources so that you are sure you can complete the
necessary tasks to keep the employees safe in all areas of your business? Be
sure to look at your own biases and natural ways of working to determine
whether they are the best, most efficient and most strategic for the situation in
which you find yourself and your program.
Be sure to look at your own biases and natural ways of working to

determine whether they are the best, most efficient and most strategic for
the situation in which you find yourself and your program.
Now that you’ve carefully thought it through, fill in the last column of the
Wildly Strategic Compliance Officer Risk Ownership Chart. Take the time to
write down the next steps required to properly and explicitly assign each risk,
rather than the next action required. For example, let’s say you know that
certain high-risk sales executives need to receive anti-bribery training. Your
“Needs and Next Steps” column shouldn’t note this. Instead, the column
should note the need to determine which function owns bribery risk. Once the
proper function has been identified and explicitly given the responsibility for
bribery risk, then the conversation about anti-bribery training can follow.
I’ve filled in the first several lines of this form as it exists for one of my
media clients to show you how this evaluation looks in practice.
Mogul Company Ltd.
Risk Current Explicit Needs and Next

Owner Assignment Steps
Bribery Compliance Yes – in the job None
description and
in our anti-
bribery policy
Competition/ Compliance for Yes – None
Antitrust internal separation of
investigations, duties is
Legal for explicitly
regulatory agreed to and
investigations or implemented
formal by Legal and
proceedings Compliance
Data Privacy Unclear – some No – our online Create a rapid
Compliance, privacy policy response team for
some was written by data breach
Information Legal, but no preparation,
Security and one is in charge including
some of handling representatives from
Information data breach or Legal, Compliance,
Technology dealing with Communications,
regulatory Information
changes Technology, and
Information
Security. Talk to
Legal about how we
should handle duties
regarding upcoming
changes in data
privacy law.
Cyber Risk / Risks not yet No Create a meeting

Identity Theft discussed with Legal,
Information
Technology, and
Information
Security heads to
discuss cyber risk,
responsibilities, and
response.
Trade Compliance Yes – None

Sanctions / compliance
Import/Export runs the
Bridger checks
and due
diligence and
handles
import/export
issues
Employee Human Yes Create a meeting

Health and Resources and with Human
Safety Security Resources and
Security to discuss
the major risks
facing the business
in anticipation of
next year’s risk
assessment.
Customer Compliance and Yes – None

Health and local offices for Compliance
Safety security oversees health
and safety
complaints if
they come in
through the
whistle-blower
hotline
mechanisms
Culture and Compliance and No- Create a meeting

Ethics Human Compliance with Human
Resources and Human Resources to
Resources discuss
work together collaboration and
on culture; defining of roles,
Compliance tasks and
handles deliverables relating
Compliance to enhancing and
and Ethics measuring culture
Week with the and ethics
help of HR throughout the
company.
Fill it out:
Risk Current Owner Explicit Needs and Next

Assignment Steps
A (Wo)Man with a Plan
Congratulations – you’re now a woman or man with a plan! You’ve

identified the major risks affecting the business, evaluated whether
compliance should handle those risks independently or in association with
other business functions, and made a plan for a clear delineation of tasks and
responsibilities. This exercise will serve you well when you come to perform
your annual risk assessments.
Now that you’ve defined the risks you’re handling, let’s put together a three-
year plan to mitigate and manage those risks.
Implementation
________________________________________________________________________
CHAPTER 3
Come Join Me in My Vision
he very first week I started my consulting practice, I got a harried call.

T “Kristy, can you help me? It seems like all I do is fight fires. The Audit
Committee has started asking what I’m going to do in the future and the
truth is, I don’t know. I’m obviously going to respond to the problems, but
how do I show the Board that I have a plan, and more importantly, how do I
create one?” Eleanor, the Head of Compliance at a Europe-wide public
service company, found herself at a crossroads. When she was promoted
from the legal department to run the compliance team, she took over a
dysfunctional group that operated from a backward-looking vantage point.
Now, 18-months after she took over, the Board was losing patience with her
and had begun doubting her capacity to lead proactively. How was she going
to create a vision that others could support?
One of the biggest challenges compliance officers face is creating a vision all
of your major stakeholders can buy into. Too many compliance officers find
themselves fighting fires, performing internal investigations, and explaining
what happened as opposed to what they are going to make happen in the
program.
Too many compliance officers find themselves fighting fires, performing

internal investigations and explaining what happened as opposed to what
they are going to make happen in the program.
The ideal time to create and promote your vision is within your first few
months on the job, or at your first Board meeting. But if you haven’t
presented your vision previously, there is always time to promote yourself as
a true leader to the Board and to the business.
In order to communicate your vision, you are going to want to create three
things: (1) your three-year plan; (2) your one-year goals and deliverables; and
(3) your monthly compliance dashboard.
Creating Your Three-Year Vision
The first thing that you should do is create your three-year vision document. I
have created compliance programs from scratch, both as a Chief Compliance
Officer and as a consultant working with many multi-national companies. It
is critically important to get the Board and C-suite to buy into your vision for
the program. If your vision and theirs aren’t aligned, you may accidentally go
in a direction they don’t like, which will create several bad outcomes.
First, the Board will have their own ideas about how your program should
look in three years. By not setting the agenda and getting their agreement up
front, you aren’t controlling the conversation, which means you are up
against unspoken expectations, which can be the kiss of death for your
capacity to succeed.
Second, if you express your goals and vision and they are distinctly different
than the Board’s expectations, it is much better to find out early so you can
align your vision with their expectations. If you go about creating a program
that doesn’t meet their expectations, or that meets your vision but not theirs,
you will not succeed. Moreover, even if you create what you believe to be a
brilliant program, you will not have met their perceived needs.
Finally, you must create a shared vision, because all of your requests for
resources depend on your ability to convince the Board that you need the
resources to execute your shared vision. If you ask for $100,000 for a new
system, and you haven’t created a shared vision, the Board will find it easy to
say no to you. If, however, you’ve created a shared vision, when you request
$100,000 to achieve one of your agreed-to objectives, you are much more
likely to have the request granted, because the Board understands why you
need it.
Where Do I Start?
So how do you create your vision for the program? I like the categories or
elements of a compliance program that are identified within the U.S. Federal
Sentencing Guidelines. International readers, take heart – I’m London-based
and have created many programs from scratch for companies operating solely
in Europe, the Middle East, and Africa.
The thing about the Federal Sentencing Guidelines (Chapter 8) is they were
originally written to describe how a “good” compliance program should
operate. After the creation of the “seven elements of a compliance program”
as defined by the U.S. Federal Sentencing Guidelines, the U.K. Bribery Act
came with guidance specifying what “adequate procedures” meant, and that
guidance looked suspiciously like that incorporated within the U.S. Federal
Sentencing Guidelines. In 2017, the International Standards Organization
introduced the ISO 37001 Anti-Bribery Management Systems International
Standard, which once again mirrored the elements found within both the U.S.
Federal Sentencing Guidelines and the U.K. guidelines on what makes for
adequate procedures against bribery.
The reason all of the international standards use the same basic ideas is
because they provide an outstanding framework from which to create a
compliance program. It is compelling that the world has agreed on the basic
requirements for an outstanding compliance program, because it makes it
easier not only to create a good program, but also for regulators and corporate
boards throughout the world to agree to your vision.
There are seven basic areas of a compliance program required by the
international frameworks:
1. Policies and Procedures: Policies and procedures include your
Code of Conduct and all other written documents that guide the
behavior and processes of your program.
2. Training: Training refers to all instruction and education you give

your employees, contractors, sub-contractors, customers, or others
on your compliance program. It incorporates both online and in-
person training.
3. Monitoring: Monitoring refers to systems which help you to
monitor what is going on in your business. Monitoring includes
whistle-blower hotlines; online reporting mechanisms; governance,
risk, and compliance (“GRC”) software; and other online case-
tracking programs and pro-active systems that identify and monitor
risk.
4. Messaging: Messaging includes all messages sent to your

employees and others regarding the compliance and ethics
program. Messaging may come from the Compliance Department,
the CEO, the Board or C-Suite, managers, or the Corporate
Communications Department.
5. Due Diligence: Due Diligence refers to the process by which all of

your employees, agents, third-parties, sub-contractors and
customers (where required) are vetted. Due diligence may include
employee background checks, formalized processes of review for
third-parties prior to and during renewal of contracts, and any other
online or investigatory process which must be completed before
people or companies are allowed to work with the primary
employer.
6. Risk Assessment: Risk assessment refers to the formal process by

which you measure the types of risk that affects your business.
Your risk assessment should consider (1) the likelihood of the risk
turning into a problem, and (2) the severity of the problem if the
risk materializes.
7. Governance: Governance refers to the mechanics of the

compliance program within the organization. Governance relates to
things like how often the compliance officers meet with the Board,
C-suite or other managers, and the interval for reporting progress
on the program and the problems discovered.
Using the Elements to Address Specific Risks

It’s important to understand that these seven areas or elements are categories
that contain risk and your response to the risk. I’ve seen people deviate from
these to try to make Fraud Prevention one of their seven elements, or to make
Code of Conduct its own element. This won’t work. You need to put each
risk area or piece of work into the area that best represents the activity you
need to do to accomplish your goal.
It’s important to understand that these seven areas or elements are

categories that contain risk and your response to the risk.
Eleanor, the Chief Compliance Officer of the European public company

mentioned at the beginning of this chapter, was told the Board was highly
focused on bribery risk, and she was to address that risk proactively with the
compliance program. We worked together to consider how she could mitigate
bribery risk throughout all the areas of her program. If this were your
program, and you wanted to address bribery risk, you could do the following:
1. Policies and Procedures: You will likely want to create an anti-

bribery policy, as well as a gifts and hospitality policy. You may
also want to include bribery prohibitions in your Code of Conduct.
You may also want to create due diligence procedures that are
formalized in their own document.
2. Training: You will likely assign anti-bribery training to employees

in high-risk areas, or include anti-bribery training as part of your
annual compliance and ethics training. You may also perform
Board-level training as part of your program.
3. Monitoring: You may want to include a specific reference to

whistle-blowing for bribery in the materials and posters associated
with your Speak-Up/whistle-blower hotline and online portal. You
may also include bribery cases within your GRC system or other
case-tracking initiative.
4. Messaging: You may ask your CEO or other prominent manager to

send out an anti-bribery commitment message, either by email or
video. You may also ask the CEO or other business leader to
include a letter at the beginning of the Code of Conduct addressing
the company’s commitment not to engage in bribery or corruption.
5. Due Diligence: You may create a due-diligence system that

categorizes third-parties and agents by level of risk, and then
investigates them in order to determine whether they have a
reputation or history of bribery or corruption.
6. Risk Assessment: You will likely need to rank the business areas
by risk of bribery. For instance, if you have some business units
that deal exclusively with government contracting, they are
probably at higher risk than your legal and human resources
functions. Likewise, you may need to assess risk based on the
country, using the Transparency International Corruption
Perception Index, or another scale.
7. Governance: You may want to include time to share your risk

assessment, training results, and other program-oriented results
with your Board or C-suite during your scheduled meetings.
By taking each area of risk and putting controls around it throughout your
program framework, you will be able to create a fulsome response to risk,
which will allow you to effectively and strategically respond to the risk in the
business. Here’s your chance:
Element Specific Risk or Deficiencies to Address
1. Policies and
Procedures
2. Training
3. Monitoring
4. Messaging
5. Due Diligence
6. Risk Assessment
7. Governance
Where We Are Now Versus Where We’re Going
Once Eleanor had developed her three-year plan, she needed to decide how to
present it. One of the most effective ways to present your three-year plan is to
juxtapose where the business is now and where it is going for each of the
seven areas of the compliance program. When you show the business what is
already in place, and then show it where you think the program should be in
three years, the logical progression is to create a roadmap for getting from
here to there.
It is important that you draft measurable outcomes for the “where we are
going” sections. You won’t know – or be able to prove – if you’ve succeeded
in “embedding compliance in the DNA of the company.” However, you can
prove that “95 percent of the third-parties associated with the business have
completed the new due diligence process.” Try to set objective goals for your
program wherever possible, so when you’ve accomplished them, you’ll be
able to say so. Let’s look at each of the seven areas one by one so we can see
some example goals.
Try to set objective goals for your program wherever possible, so that
when you’ve accomplished them, you’ll be able to say so.
Area 1: Policies and Procedures: Three-Year Goals

Redraft and publish a new Code of Conduct
Complete implementation of a Gifts and Hospitality policy
Complete implementation of a Gifts and Hospitality registry and
online form that will be used by all areas of the business
Complete implementation of Sanctions Screening Software and
system
Area 2: Training
Roll out global Code of Conduct and Ethics training with a 95

percent completion rate on an annual basis
Roll out additional training to all high-risk personnel as identified
by our Risk Assessment on an annual basis
Complete in-person training of our highest level of managers, or
leaders of the highest-risk areas of the business
Area 3: Monitoring
Complete roll out of whistle-blower hotline throughout the world

Fully implement GRC system to track compliance-related cases
from inception to completion
Use data available from the GRC system to proactively influence
the annual risk assessment by distributing resources where they are
most needed
Area 4: Messaging
Send at least three compliance-related messages per year to each

employee: (1) regarding the Gifts and Hospitality policy near the
holidays; (2) regarding the Code of Conduct annual training; and
(3) regarding the Speak Up hotline with FAQ document.
Send at least one email or video message from our CEO regarding
the importance of compliance or the upcoming training
Complete poster campaign celebrating Compliance and Ethics
Week in each of our offices.
Area 5: Due Diligence
Complete implementation of the third-party Intermediary

Management System
Complete review of all third-party intermediaries in high-risk
countries as defined by the Transparency International Corruption
Perceptions Index (insert year)
Complete implementation of anti-corruption contract clauses for
all agents, representatives and other third-parties as of (insert year)
Area 6: Risk Assessment
Complete annual risk assessment to prioritize risk for each

upcoming year
Complete review of the compliance program at the end of year
three by an independent consultant or outside firm
Incorporate recommendations from outside law firms and
consultants regarding laws coming into force in the upcoming year
which will affect our business
Area 7: Governance
Complete every-other-month Business Conduct Council one-hour

phone meetings with Compliance leaders and key C-suite members
Perform bi-annual in-person updates to the Board of Directors
about the progress of the compliance program and any outstanding
issues or investigations of high importance
Complete the sending of monthly Compliance Dashboards to each
Board member, C-Suite member and Business Conduct Council
member
Here’s Your Chance:
Define specific, measurable, deliverable or statistic-based goals for your

three-year plan in the following matrix:
Element Specific Goals or Deliverables
1. Policies and
Procedures
2. Training
3. Monitoring
4. Messaging
5. Due Diligence
6. Risk Assessment
7. Governance
Once you’ve outlined goals for each of these areas, you can easily juxtapose
where you currently are with where you want to go. You can create slides or
a presentation that will show the Board your vision.
TRAINING
Where We Are Where We’re Going
Training is entirely presented Training presented in person

online at least once a year in our top
Training is entirely presented three highest-risk
in English jurisdictions
All training is presented to Training presented in a choice
all employees regardless of of languages, including use of
risk profile or role interpreters for in-person
training and multi-lingual
options for online training
Training assigned to each
employee on a risk-based
basis
The goal with each slide or discussion point is to get buy-in from the business
leaders, C-Suite or Board, so that when you ask for the budget to obtain the
resources you need to meet your goals, you will have an easier time
advocating for those resources.
Fill out the following matrix to help you define your three-year plan by
showing where the company and program are now, and where you hope to be
at the end of the three years.
1. POLICIES AND
PROCEDURES
2. TRAINING
3. MONITORING

4. MESSAGING
5. DUE DILIGENCE
6. RISK ASSESSMENT

7. GOVERNANCE
Creating Your Year One Goals
Once you’ve got buy-in for your three-year vision, it is then up to you to
make your year-one goals. Try to ensure that each of your year-one goals is
attainable. During the first year, you want to prove that (1) you have vision,
(2) you can get buy-in for your vision, and (3) you can get your vision
accomplished. You want goals you can accomplish so that you can trumpet
your achievements at the next Board meeting or annual review.
You can create stretch goals for years two and three, but for year one, go for
goals that you know you can achieve so you become someone who is known
for fulfilling promises. Eleanor created her year one goals by focusing on the
projects she’d already started. For instance, she listed “perform in-person
training for our high-risk sales groups throughout the U.K.,” as she was
already scheduled to speak at the sales conference later that year. She focused
on attainable year-one goals that she was likely to achieve, which allowed the
Board to see her as a success.
You can create stretch-goals for years two and three, but for year one, go
for goals that you know you can achieve so you become someone who is
known for fulfilling promises.
Eleanor’s year-one goals for training were presented as follows:
YEAR ONE
1. Policies and Complete drafting and

Procedures implementation of Gifts and
Hospitality Policy and Procedure
Outline draft of Code of Conduct in
anticipation of year-two Code re-write
2. Training Perform in-person training to at least

three business units in two countries
Obtain off-the-shelf Code of Conduct
online training in English and Spanish
Fill in the following matrix with your year-one goals. Remember that they
need to relate to your three-year plan. For each area of the compliance
program, your year-one goals should be (1) measurable, specific, deliverable-
oriented goals that will (2) drive your ability to successfully complete your
three-year vision.
YEAR ONE
1. Policies and
Procedures
2. Training
3. Monitoring
4. Messaging
5. Due Diligence
6. Risk Assessment
7. Governance
The Monthly Compliance Dashboard

Once you’ve created your year-one goals, how do you stay on track to
complete them, and more importantly, how do you show the business you are
making progress on a regular basis? One of the challenges facing a
compliance officer is that much of your work will be done without much
feedback from the business. You are expected to handle crises and continue
to implement the program, but if you never communicate with the business
about your movement toward your goals, the business might fail to value
what you are doing. In addition, if you don’t have any measure of your
success, you may have difficulty proving your value, or showing why you
need additional resources to complete your goals.
On the other hand, most business leaders don’t want to be overwhelmed with
a report on the activity within the compliance department. So how do you
manage to communicate effectively and have a record of your
accomplishments, but still be concise? You use the Compliance Dashboard.
When I was a CCO, every month I sent a Compliance Dashboard to the board
members of the joint venture I worked for, along with the senior managers on
the compliance committee. The Compliance Dashboard listed my yearly
goals in each of the seven areas of the compliance program, along with a
bullet-pointed update as to my progress toward each goal. Every month I’d
update the Dashboard, and each January I’d create a new one. I’d send these
Dashboards via email so the business could see where I was succeeding. Here
is an example of the Compliance Dashboard:
When you implement the Compliance Dashboard, send a quick email noting
that the Board members or recipients are going to receive one each month,
then send them like clockwork on the last working day of the month.
Eleanor implemented the Compliance Dashboard the month after her three-
year vision and one-year goals were approved by the Board. Now she has an
excellent record at the end of the year that proves her successes, and she has a
monthly self-check-up that shows her where she may be falling behind and
need to put in more effort. The Compliance Dashboard helps keep her on
track for achieving her year-one goals, which will support the implementation
of her three-year vision.
Fill in your month-one Compliance Dashboard, using the year-one goals you
developed previously in this chapter.
Compliance Dashboard – [Month and Year]
Big Seven Annual Goals Progress Update
(1) Policies and

Procedures
(2) Training
(3) Monitoring
(4) Messaging
(5) Due Diligence

(6) Risk Assessment
(7) Governance
Putting It Together
Employing the strategies in this chapter will help you to ensure you’re on the
same page as the Board and C-suite within your organization. You’ll also be
able to keep yourself on track and focused on the things that matter to your
employer. By creating a vision, and having the discipline to evaluate your
progress on a monthly basis, you are much more likely to be successful as a
Wildly Strategic Compliance Officer.
By creating a vision and having the discipline to evaluate your progress

on a monthly basis, you are much more likely to be successful as a Wildly
Strategic Compliance Officer.
Implementation
________________________________________________________________________
CHAPTER 4
I Want Money, That’s What I Want:

Successfully Engaging the Board and
C-suite to Get Budget and Resources
“Mr. Bumble sir, I want some more.” “MORE? Did you just say
MORE?” – Oliver Twist
hen your program needs more resources, it is critical you receive them.
W But in this cost-cutting, post-recession world, how do you effectively
make your case to the Board of Directors or the C-suite? How do you
ensure the best chance the resources you need will be forthcoming?
In my former role as Chief Compliance Officer for United International
Pictures, I reported to the Compliance Committee of the Board of Directors
twice a year for several hours. I was responsible for making the case for the
compliance department’s budget, and for asking for additional resources
when I needed them. The following are proven ways to persuade the Board
and C-suite to give you the resources you need.
Be Explicit and Specific

It may seem obvious to you why you are requesting more resources – you
need them! But in order to receive more than you already have, you need to
do two things. First, you need to ask specifically for what you want. Second,
you need to make the case as to why you need the resources.
When you make your request, first you must make a solid business case. This
can be done by, (1) briefly explaining what has changed, such as the
implementation of a new law or the expansion into a new market; and (2)
using statistics, examples, and specific metrics. Many times resources are not
approved because people have not made a solid case for why they are needed.
If you say, “There are new sanctions, so I need more money,” that is unlikely
to be effective. However, if you say, “The company is expanding throughout
East Africa. As there are several governments in the region where sanctions
have been imposed against former leaders and their associates, our
department needs an additional $25,000 to neutralize the risk presented in
this environment. The $25,000 will be used as follows…” The more specific
you can be with your need, the more likely the resource is to be granted.
Answer the following questions to narrow down exactly what you need from
the business:
What do I want? (Be specific. You should be able to explain it in no more

than five words)
_________________________________________________________________________
Why do I need it? (Give three specific reasons):
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
What will this resource help me to achieve (or what risks will it mitigate)?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
What negative outcomes are possible if I don’t receive this resource?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
How will this resource positively affect my job and the company as a whole?
_________________________________________________________________________
_________________________________________________________________________
________________________________________________________________________
Now, write out your pitch for the resource using the answers above:
________________________________________________________________________
________________________________________________________________________
Practice
People have faith in people who come into the room confident and ready to
make their presentation. Practice enables you to be confident in your
presentation, and to be ready for any follow up questions. If at all possible,
use another member of your team to ask you every question he or she can
come up with about your proposal to the Board. Practice delivering the
proposal and navigating the question and answer session until you are
comfortable making your business case. The more specific you can be, the
more prepared you will seem, and the more likely you are to get approval for
your request.
Before I went into any Board meeting, I would ask my junior attorney to
watch my presentation and give me feedback. She’d sometimes see places
where I’d made a leap without explaining myself. When you’re an expert on
the topic, it is easy to forget to explain the background in enough detail that a
layman could understand it. By practicing out loud, and getting unbiased
feedback, I was able to make my presentations more effective.
Name three people you could ask to help you practice your presentation or
your pitch for resources:
___________________________________________________________
___________________________________________________________
___________________________________________________________
Use Stories
Men and women have been using stories to educate and inspire others since
the beginning of communication. You can use stories in a powerful way to
obtain buy-in from the Board or C-suite. One of the most effective ways to
use stories is to bring in cautionary tales from your industry. If another
company in your industry or an adjunct industry has recently had a
compliance failure or import/export fine, use the story to put the Board or C-
suite on notice.
Studies have shown that people relate most strongly to stories featuring
people like themselves. If you can tell a true story using people from a
competing company, or people from a company in the same industry,
country, city or company size, you are more likely to have the Board
members put themselves in the shoes of those that had a failure. You are
much more likely to get what you need when the Board is emotionally
affected by the possibility of failure regarding export/import or sanctions.
Stories create emotional reactions in people in a way that facts and figures do
not. Use the power of storytelling to your advantage.
For example, let’s say you work in the technology sector, and you want to
implement a Know Your Customer protocol. You could tell the Board
members about the recent $1.5 million penalty imposed on a company for
selling products to Iran and Sudan, and to sanctioned parties in Syria. Using
an example within your industry can be particularly effective, as leaders
within an industry frequently know each other socially from industry
meetings and networking events. When you make the case that the new
program will cost $100,000, versus the risk of a $1.5 million fine and the
accompanying reputational damage, it is much easier to have your request
approved.
Another way to use stories is to paint a picture of how the business would be
more efficient, more effective, or better served by the granting of the resource
request. Tell the story of how the company will work after implementation,
focusing on the results of the investment. It is unlikely the Board or members
of the C-suite are interested in the details of how your new computer system
or employee resources will work. Instead, tell the story of how much better
off the company will be after the resources have been implemented. A good
story is worth more than 1,000 spreadsheets.
Use Fear, but Follow Up With Specific Actions
Using stories that evoke fear in the Board or C-suite can be very effective in
helping them to understand your need for greater resources. Be sure to
explain what can happen if the resources aren’t granted. Once you’ve set the
scene with potentially catastrophic outcomes, give the Board or C-suite your
solution so they can agree to it. The commonly used platitude “don’t shoot
the messenger” may apply to you if you tell the Board or C-Suite they are in
a precarious situation. They may turn their anger or worry on you. However,
if you provide a plan that will resolve the worrisome situation, the Board is
likely to approve plan, and therefore the request for more resources, which
will allow you solve the problem.
Use Visuals
Studies have shown that some people learn in an auditory way, while others
learn visually. If possible, bring visual aids to your presentation. When
people are using more than one of their senses, they are much more likely to
become engaged. If you are presenting in both a visual and audio way, you
are more likely to get the attention of your audience.
For example, I was consulting with a client who was implementing screening
software that would automatically check if third-parties were on sanctions
lists like OFAC’s Specially Designated Nationals list. He wanted to purchase
the vendor’s add-on service, which would evaluate and eliminate the vast
majority of false-positive hits before the client’s compliance team had to deal
with them. This add-on feature cost several thousand dollars a year, but my
client knew his team’s time was better spent on other work. To demonstrate
the value of the false-positive clearing service, my client included three slides
in his presentation to show the false positives in a simplistic format. My
client said to the Board, “OK, let’s say you’re receiving the report. It says
that our customer Jorge Garcia Sanchez may be a match to someone on the
sanctions list. Look at the match. Can you see why our customer isn’t the
same person?” The Board members immediately saw on the slide that their
customer Jorge Garcia Sanchez lives in Spain, while the Jorge Garcia
Sanchez on the sanctions list lives in Mexico. After going through three
examples with the Board, my client said, “We can eliminate this waste of
time by having my team review only potential true matches.” My client
received approval for the service.
Because the Board had engaged in a simplified version of the activity, they
could tell the add-on provided real value and made business sense. The visual
examples made all the difference in their understanding of the problem and
the benefits of the solution.
Use pictures where appropriate. If you’re using PowerPoint, be sure your
slides are easily readable. Use as few words as possible on each slide to get
your point across. Remember, reading aloud what’s written on your slides
actually makes you less effective than if you have no slides. When you read
the texts on your slides, people soon realize they can read what you are going
to say, and they tune out. Use slides as a tool instead of a script.
Use slides as a tool instead of a script.
Utilize a “Choice of Yes” Pattern
When you present to the Board, lead with the request for the resources that
you want most, but be prepared with a higher cost option and a lower cost
option. If the Board or C-suite questions whether the resource is really
necessary, be prepared to show a cheaper and a more expensive option. Being
prepared with a choice of options will show the Board two things: First,
you’ll show you’ve done your research and thought about what you need. But
more importantly, the Board or C-suite will feel that they have a choice,
which will make them feel empowered.
When you are presenting your options, assume that the answer will be yes.
Author Alan Weiss describes this pattern as a “choice of yeses.” Instead of
presenting a yes/no possibility, you should state that the Board or C-suite can
“choose which of these options works best for the company.” This language
assumes that one of the options will be chosen, which instinctively tells the
people evaluating the decision that their job is to pick one of the options. It is
much less likely that the Board or C-suite will say “no” when they are
presented with a “choice of yeses.”
What resource do you want (be specific):

_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Name three different options for obtaining the resource. Maybe there are
three vendors offering the resource. Perhaps there are three levels of service
or payment plan options. Come up with three different ways of achieving the
goal:
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
Now, when you present these, say, “There are three ways we can do this.
Which would you prefer?”
Putting It Together
Combining all the previous techniques will make it more likely that your
request for greater resources will be approved. Helping the Board or C-suite
to understand the problem via storytelling, and offering solutions in a way
that is likely to obtain a positive response, will go a long way toward making
you highly effective.
Implementation
________________________________________________________________________
CHAPTER 5
Finding and Developing Sources of

Power
“Power … how did such a good thing get such a bad reputation? Many
people have negative connotations about power… it corrupts, subjugates,
controls, and abuses others. But this is not power – this is abuse of
power. Distilled down to its simplest definition, power is the ability to
make happen what you need to have happen without ever violating the
rights of others.” -
- Kate Sanner
O neyourofbusiness.
the most important things you can learn is how power operates in
Oh, sure, you can look at the organizational chart, but that
won’t tell you who really has the power. It also won’t tell you who the
undercover influences are, and how to use them to get your agenda moved
forward. The truth is that power dynamics strongly affect your ability to be
wildly effective. If you don’t strategically use power sources, you’ll be stuck
on your own, trying to push the rock uphill. It’s so much easier to align with
the leaders of your business than to fight against them.
Once you’ve learned who has the power, you must learn how to work with
them by getting to them emotionally.
Covert Power, Influencers and Named Leaders: Identifying the

Power Sources
In every business, family, group of friends, or club there are two sources of
power – the named power and the covert power. The named power is obvious
– it’s the source of authority. In business, the named power is almost always
the manager, President or CEO, and the members of the Board of Directors.
The second source of power is the covert power. Covert power tends to come
from people who are highly charismatic, well connected, or long-established
within the company. Whenever you’re in a room with the business managers,
look around to see who has covert power. You can usually determine this by
observing the responses of the listeners to the person who is talking. The
comments of some people are quickly dismissed or ignored, while those of
others are carefully considered. You can also determine who has covert
power by noting the people who are consistently chosen to lead important
projects.
People with covert power are incredibly important resources. If you are able
to connect with them so they become compliance believers, you will have a
much better likelihood of success.
Ideally, you want to connect with, and obtain buy-in from, both the people
with named power and with covert power. People with covert power who
believe in your compliance mission will carry compliance ideas into their
meetings and processes. Since they are natural leaders, others will follow
their lead.
If possible, you should establish your role so that you have a direct line of
reporting to the top Power Sources, including both the CEO and the Board of
Directors. Your direct access will allow you to perform your job at the
highest possible level, without interference or screening by the business or
the General Counsel.

Name the sources of Named Power in your Organization:
1. CEO/President:_____________________________________________________
2. Other C-Suite
Member:______________________________________________
3. Other C-Suite Member
______________________________________________
4. Key Manager
_______________________________________________________
5. Your Direct Boss
____________________________________________________
6. Other Named Power (1):
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
_____________________________________________
Name the sources of Covert Power in your Organization:
1. Most Popular Leader:
______________________________________________
2. Longest-Serving Leader:
___________________________________________
3. “It Girl” or “It Boy” (popularity):
_____________________________________
4. Rabble-rouser:
____________________________________________________
5. Public Face/Brand Definer:
________________________________________
6. Other Covert Power
(1):____________________________________________
(2):____________________________________________
(3):____________________________________________
(4):____________________________________________
(5):____________________________________________
Once you’ve determined who the Power Sources are, you need to determine
how to affect them emotionally. At the core of most business interactions is
the eternal question, “What’s in it for me?” You can see that as a negative
thing if you choose, but each interaction is actually an opportunity to give the
Power Source what he or she needs. As is explained in detail in the book
How to Be a Wildly Effective Compliance Officer, everyone in the corporate
world is moved by one of four primary motivators. Here is a review of each
of them and how to use them to affect individuals.
The Four Primary Motivators

The Four Primary Motivators are:
Fear for Self
Fear for the Business
Noble Cause
Competitive Edge
Fear for Self

Fear for Self centers on the avoidance of personal pain or difficulty. Former
Assistant Attorney General for the Criminal Division of the Department of
Justice Lanny Breuer told the truth when he said, “The strongest deterrent
against corporate crime is the prospect of prison time for individual
employees.”
“The strongest deterrent against corporate crime is the prospect of prison

time for individual employees.” – Lanny Breuer
Most people in the corporate world consider themselves unlikely to be

involved in criminality. They think big fines happen to someone else, and
even if the company is fined, nothing will happen to them. It’s time to wake
these people up!
Many people are primarily motivated by Fear for Self. The science of
persuasion tells us that people are most affected by stories of individuals
most similar to themselves. Therefore, when dealing with those motivated by
Fear for Self, it is critical to engage them using stories of someone similar to
themselves. Whenever possible, use a story of someone of the same age,
gender, position in the company (manager, regular employee, board member,
etc.), or in the same industry. Tell real and specific stories that bring home
the risk to the individual. Use big number fines and trends in jail time —
which always seem to be increasing, not decreasing — to intensify the impact
of your stories. I maintain a list of resources for the compliance professional
on www.ComplianceKristy.com that will help you to find statistics and
stories that you can use.
Here’s an important tip: Deliberately look people in the eye during training
when you talk to them about the potential of imprisonment. Make the threat
real and personal. Employees are much more focused on policies when they
understand the personal cost of failure. Whenever I train outside the United
States and the United Kingdom, I warn people that they can be personally
extradited for trial and imprisonment in the U.S. or U.K. for violations of
bribery and competition laws. For many, the shock is palpable. They didn’t
know that, but now that they do, they are will always be aware of the
personal risk.
During my training sessions, I always make a point of reminding people that
company money spent on fines, lawyers and investigations means less for
raises and bonuses. People connect with compliance when they internalize
the answer to “What’s in it for me?” is: (1) their job, (2) their freedom, and
(3) their future at the organization.
Fear for the Business

The second Primary Motivator is Fear for the Business. This motivation
centers on avoidance of problems in the business. Most business leaders love
the business in which they work. Top executives, creators, owners, and board
members do not want to see the reputation of their company sullied by news
reports of illegal conduct. More importantly, they don’t want to slash the
budget and their bonuses so they can pay huge fines to the government for
corporate wrongdoing.
Like Fear for Self, people motivated by Fear for the Business are best reached
by stories of businesses similar to the one in which they work. To be most
effective, you will want to find stories of businesses in serious trouble that
are related to your business. Search for stories about businesses in the same
industry, country, service type, or size as the business for which you work.
Fines can be very expensive, increasingly in the billions for serious
violations. Fear for the Business can really be ramped up when you describe
the multiple types of sanctions that can be applied. For instance, you can
describe the difference between criminal fines and civil fines. You can also
describe class action lawsuits and private plaintiff lawsuits. If you are in a
publically traded business, and your country allows shareholder derivative
suits, you can explain the devastation a multi-year battle with your
shareholders can cause.
You can also describe the knock-on effect many laws have if you have multi-
national operations. For example, let’s say your company operates in the U.S.
and the U.K. You can increase your effectiveness by explaining that a bribe
made entirely in another jurisdiction (for example, Japan) could cause the
company to be prosecuted in the United States, the United Kingdom, and
Japan. This knowledge can scare even the most hardened CEO.
In addition, if you work for a company that has government contracts,
explaining that the company could be debarred or not allowed to bid on
government contracts in the future can be a great incentive to create buy-in to
the compliance program from the business.
Fear for the Business and Fear for Self work in much the same way, but
touch different motivations. Many stories can be used for two purposes. If
you have a story about a business in a similar industry that has gotten in
trouble, dig deeper to try to find a story or two about individuals in the
business who suffered at the same time as the company, with individual
penalties. Stories like these emotionally connect to people with fear-based
motivations, which can help you to be Wildly Effective when you present
solutions to the problems faced by the company.
Noble Cause
This motivation centers on pride in corporate social responsibility, and in
being the most ethical company possible. For some companies in the business
community, connecting to the ideals of corporate social responsibility and
ethical business is easy. Many companies, such as Starbucks or TOMS
Shoes, use their ethical business credentials as a marketing element. For
companies who are members of the United Nations Global Compact,
corporate social responsibility is a mandate they have chosen to fund and
measure.
If you are lucky enough to work for a company with corporate social
responsibility or ethical business as part of its identity or marketing,
congratulations! Things may be easier for you, as you sell compliance as part
of the corporate mission. A company with an espoused ethos of positive
governance is much more likely to be compelled to protect its reputation, and
the reputations of its employees, by complying with all laws and regulations.
Likewise, you may be lucky enough to work with individuals or business
leaders who hold themselves to high ethical standards, and believe that
complying with the law is simply the right thing to do. If you are employed in
a company or with people who are motivated by Noble Cause, you should
work to inspire them to be their best selves when it comes to complying with
the law, and to instill in them the sense of purpose you connect to as being
part of the movement of compliance that can and is changing the world.
People motivated by Noble Cause will respond most strongly to stories where
the company is put in the spotlight as one to emulate and admire. Compliance
professionals should focus on finding storylines where the business is seen to
be doing more for the world, or being at the forefront of the most ethical
business within the industry, country or environment in which the business
operates. People motivated by Noble Cause like to imagine their company is
a shining beacon on the hill. They want their company to be the benchmark
against which other companies compare themselves. Use this motivator to
show them how much better the company could be with continued
compliance investment and improvement.
Competitive Edge
The Primary Motivator of Competitive Edge centers on winning business
through the use of compliance as a business advantage. Many sales people
can be lured onto the side of compliance when motivated by winning
business through the use of Competitive Edge.
Compliance, good governance and proper procedures really can be a business
advantage. If there hasn’t yet been a scandal in your industry or region of the
world, there will be eventually. Because multi-national corporations are
frequently the ones concerned with compliance and procedures, you can tell
your business units that ethical business and a good compliance program is
the best way to position your business to win large contracts.
Additionally, world governments are more and more frequently requiring
compliance programs and supply chain compliance as part of their criteria for
awarding contracts. In the United States, for instance, government contracts
must have compliance provisions throughout the supply chain to ensure that
no forced labor is utilized. If a company has a powerful compliance program
in place, new regulations are less likely to disrupt business.
In order to effectively use Competitive Edge, you should tell stories of
similar companies in your industry or aligned industries that won contracts or
business because of the strength of their compliance program. For example, I
was fortunate enough to be at Carlson Wagonlit Travel when the
GlaxoSmithKline scandal struck. Allegedly, GlaxoSmithKline had been
moving money through travel agencies in China in order to create a slush
fund that could be used to pay bribes to doctors in China to prescribe their
drugs. All of a sudden the major multi-national pharmaceutical companies
were banging on the door at Carlson Wagonlit Travel, as it had not been
associated with the travel agencies alleged to have been involved in the
scandal in China. Carlson Wagonlit Travel’s compliance program,
membership in the United Nations Global Compact, membership in TRACE
International, and reputation for responsible business was a major business
advantage. Those memberships and programs, which had occasionally been
questioned by various people within the business, suddenly became
marketing and sales tools the business could exploit for greater sales.
Leveraging the Primary Motivator with the Power Sources
Each company will have a dominant Primary Motivator, and each individual
within a company will also have a Primary Motivator. Companies tend to
attract people with similar Primary Motivators. To be most effective, you
must leverage both the Primary Motivator of the company and the Primary
Motivator of each individual Power Source.
Finding the Primary Motivator of the Business

You can determine the Primary Motivator of the business by looking at how
the company portrays itself in its marketing. View the company’s website.
Does the company promote its ethical credentials and sustainable business
objectives? If so, your company probably has an overriding Primary
Motivator of Noble Cause. If your company’s press releases are dominated
by sales figures and descriptions of how they beat the competition, your
company’s Primary Motivator is probably Competitive Edge.
A company’s choice of values can also give a strong indication of the
Primary Motivator of the business. Does the company espouse collaboration
and integrity as its values? Or does it value cutting-edge technology and
maintaining shareholder profitability?
Another way to determine the Primary Motivator of your company is to
review what they publish or write, both in internal and external
communications. What is the story behind your company? What is the story
the company is trying to sell? Some companies position themselves as the
most ecological in the business, or the most “green.” Companies with this
sensibility are more likely to have Power Sources that respond to Noble
Cause as their Primary Motivator.
Here's Your Chance

Answer each of the following questions to help to determine the Primary
Motivator of your business:
What are our core values?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
What image is my business trying to portray in its marketing materials?
_________________________________________________________________________
_________________________________________________________________________
_________________________________________________________________________
What types of images and colors are used to portray our company in the
media, in advertising and in our internal communications?
_________________________________________________________________________
_________________________________________________________________________
Check All That Apply:
___ My company advertises its ethical credentials (Noble Cause)
___ My company is part of the UN Global Compact (Noble Cause)
___ My company advertises its sustainable business commitments and/or
“green” credentials (Noble Cause)
___ My company advertises its aggressive culture and/or celebrates
competition (Competitive Edge)
___ My company celebrates winning in a public way (Competitive Edge)
___ My company’s imagery resonates with athletics, competition, and the
individual above the group. (Competitive Edge)
___ My company doesn’t mind being number two or three in the industry – it
doesn’t have to be number one at everything
___ My company has recently suffered a downsizing
___ Morale is really bad at my company and people are afraid of losing their
jobs
Based on all of the foregoing, the Primary Motivator at my company is:
______________________________
Once you’ve determined which Primary Motivator applies to the business,
you will know which Primary Motivator to favor in your training. Because
people tend to join a company that speaks to their own personal values and
motivations, the Primary Motivator of the company is likely to be reflected in
the majority of the people working at the company.
To get to the next level, however, you’ll need to reach each Power Source
individually with their individual Primary Motivator.
Finding the Primary Motivator of Each Power Source

In order to be Wildly Strategic, your first job is to determine which of the
Four Primary Motivators is the strongest for each Power Source. The
President of the company may have a different Primary Motivator than the
members of the Board. Although many boards have a group Primary
Motivator, if you are able to spend time with each member of the Board, you
may find that each has a different Primary Motivator.
So, how do you figure out the Primary Motivator for each Power Source?
The first way is to watch carefully during your training to see which slides or
stories seem to have the greatest effect on each Power Source. Some Power
Sources visibly wince when stories are told of executives being indicted, or
extradited to face trial. Others will become engaged when you speak of
Competitive Edge in your training. A primary reason to include slides with
all Four Primary Motivators in your training is so that you can study the
Power Sources to see what they respond to.
Watch carefully when you tell stories of executives going to jail or losing
their jobs during your training. Does the leader fidget, look down, sigh, or
roll his or her eyes? As more and more compliance investigations and
scandals strip executives of their jobs, more executives are motivated by Fear
for Self. Ten years ago, it was relatively unheard of for an executive to
receive anything other than a slap on the wrist for malfeasance. This is no
longer true. In a world where the United States and United Kingdom are
extraditing executives for bribery and competition violations, executives are
more and more aware of the perils of compliance failures. Indeed, the boards
of many organizations fire leaders who have been complicit in compliance
failures. Fear for Self can be a major motivator to get the leader to buy into
your vision.
I was training in Denmark a couple of years back, and it was clear to me that
the company leader’s Primary Motivator was Fear for Self. I determined this
because during training, the leader was clearly taken aback by stories of
executives being sent to jail. She whispered, “Oh, my gosh!” and reacted
strongly when being told of other companies whose compliance failures had
caused the downfall of prominent people in the industry.
When I met privately with this Power Source to discuss the compliance
program, I expressed my gratitude for her careful attention during the
training. I told her that I was there to make sure nothing like that would ever
happen to her. I then explained the plan to make sure nothing like that ever
happened to her. At this point, she was relieved to buy into compliance, as I
was offering a solution to her problem. She may not have known of her risks
before training, but now that the training had finished, she knew she could
experience severe consequences if she did not properly manage the
company’s business. She was therefore compelled to learn how she could
protect herself, and compliance had the answers she needed.
In contrast, choosing the wrong Motivator for a Power Source can be a recipe
for disaster. If you are dealing with a Power Source motivated by
Competitive Edge, trying to use Fear for Self may make the Power Source
feel accused of wrongdoing, or defensive. If the Power Source becomes
defensive, it is almost impossible to get the buy-in required to be a Wildly
Effective compliance officer. Likewise, if you use Noble Cause with a Power
Source who is motivated by Fear for the Business, you will likely lose your
audience, as he or she will think you are out of touch with the business
realities faced in this “tough economic climate” (and it’s always a tough
economic climate).

Write down the Primary Motivator for each of the Named and Covert Power
Sources you named earlier in the Workbook:
Name Type of Power/Title Primary Motivator

No matter how well you interact with your Power Sources, a crisis can
always strain these relationships. Nerves get frayed, people run scared, and a
strategic plan becomes more critical than ever. Let’s look at how we can best
prepare for crisis, so we can respond to it in a wildly strategic manner.
Implementation
________________________________________________________________________
CHAPTER 6
When Disaster Strikes, a Strategic

Response is Critical
t’s 3:00 a.m., and your phone is ringing for the fourth time. It’s jarring – your head is fuzzy, and
I you’re not sure what’s going on. You answer the phone and wearily say, “Hello?” It’s a crisis.
Perhaps the regulators have notified the head office about an investigation. Perhaps your European
offices are experiencing a dawn raid. Perhaps you’ve received a whistle-blower complaint alleging
fraud, or the CEO has been carrying on an inappropriate sexual relationship and it is about to be
reported in the Wall Street Journal. You’re awake now. How do you respond?
Preparing for a crisis, and understanding how to respond strategically, is a critical skill for a compliance
officer. The more you are able to be mentally prepared, the more likely you are to respond
appropriately and proportionately to the situation.
Keep Calm and Carry On

In London, there are T-shirts and souvenirs everywhere with the phrase “Keep Calm and Carry On”
emblazoned upon them. The phrase originally came from a Ministry of Information poster campaign
for the British people regarding how to manage their affairs during the Blitz of World War II, where
nearly 40,000 people were killed during the bombing.
When disaster strikes (and it will eventually), Keep Calm and Carry On. Becoming emotionally
involved will not serve you, especially in the beginning. While you may love your company and your
job, ultimately it is unlikely that your health, personal safety, or family safety will be affected or
compromised. People will be looking to follow your lead in a crisis. When it strikes, adopt the stance
that you will keep calm, make a plan, and carry on. Your leadership is tested most in a crisis. Keep
Calm and Carry On to be effective.
People will be looking to follow your lead in a crisis. When it strikes,

adopt the stance that you will keep calm, make a plan, and carry on.
Working Well with Outside Counsel

In many compliance failures, the first person you’ll contact outside company
walls is outside counsel. It’s best to create relationships with outside counsel
before you need them. Try to find go-to experts in all of the major areas of
risk in which you operate. In Chapter 2, you identified all of the major risk
areas affecting your business. Before a crisis hits, try to identify the expert
counsel in that area who you can turn to if something goes wrong. The more
that counsel knows about your business before the crisis, the more helpful
they will be in advising you on immediate next steps.
Take your time to get to know outside counsel. Invite them to come to your
company to give legal updates, or get on the mailing list of the major firms in
your area so you can receive email updates or attend webinars about changes
in the law.
When your company retains outside counsel to work on a crisis, be sure to
share all of the relevant information. There is often a disconnect between the
Legal Department and the Compliance Department over the documentation
of an investigation. You should always consider the advice of counsel, but do
ensure your counsel understands how mitigation works, and that
documentation of remediation may be critical in order to receive mitigation
or credit for cooperating with the government.
Who’s Got Your Back?
One of the first decisions you must make in a crisis is with whom to share the
information. My friend Roberta was the Director of Compliance for Europe
and the Middle East for a financial services company that was under
investigation for potentially violating sanctions against Iran. She reported to
the Vice President of Global Compliance, and had a dotted-line reporting
structure to the President of her region. The previous month, the CEO stated
he would fire anyone who was found to have tried to circumvent the Iran
sanctions. One morning Roberta received a phone call that a sales manager in
Belgium had found a way to work around the sanctions-checking software
used at the firm, and had completed a transaction with an Iranian entity.
Roberta had a choice – she knew the President of the region would want to
know immediately so he could try to control the damage, but her direct
reporting line was to her boss, the head of compliance.
Roberta called her boss and explained what happened. She then called the
President of her region, who asked if she had told her boss. When she said
yes, the President erupted. He began to scream, accusing her of violating his
trust and saying she was not pro-business. He was afraid of getting fired, as
his direct report had made the error. Roberta was conflicted. Had she done
the right thing?
When you’re facing a crisis, you must be strategic about whom you tell, and
in what order you tell them. If you’re not the global head of the compliance
program, or if you report to the General Counsel, and not the CEO or Board,
you are usually best off telling the head of compliance or the General
Counsel about the crisis first. If you are the head of compliance and you don’t
report to the General Counsel, you should usually tell the CEO about the
crisis first.
Be sure to think through whom you will tell about the crisis, but first consider
how you will tell them. Whenever you have to deliver bad news, always
follow it up with a plan for how the company can begin to fix the problem.
When people hear bad news, it is easy to want to shoot the messenger. By
stating both the problem and a solution (or a plan for investigation), you
become an ally who is alongside the business, resolving the issue.
It is tempting to share salacious stories or bad news with colleagues,
especially if your colleagues are your friends. Try to resist the temptation.
Although compliance officers are only human, we are held to a higher
standard, and required to maintain confidentiality. Sometimes this is harder
than it looks.
Several years ago, the business manager in charge of Italy was causing me
trouble. I gave him explicit directions about actions he was not to take,
because they did not comply with the law. Not only did he not follow my
instructions, he wrote an email that was later forwarded to me, alleging that
compliance had told him he could do the thing I told him not to. I was
furious, but there was no one I could talk to about it. I went to the bathroom,
closed the door, and ranted to myself about what a callous, ridiculous jerk he
was. Once I had calmed down, I went back to my desk and wrote a reasoned
email to the CEO explaining that he was incorrect – I had not authorized the
behavior, and I had email proof to show the instructions I had issued. He
wasn’t with the company much longer after that.
When deciding who to tell about a crisis, consider the following questions:
Who is my direct boss?

Who do I report to, both directly and in a dotted-line relationship?
Who needs to react to this immediately?
Who needs to make a plan to respond? This may include:
The business or client lead
The communications or public relations people
The Legal Department or General Counsel, who may need to hire
outside counsel
The Information Technology or Information Security folks if it involves
data
Who will be mad at me if I don’t tell them first, and does that matter?
Am I more likely to get into trouble if I tell the person, or fail to tell the
person, about the issue?
Lastly, look for people who are on your side, or who have your back in a
crisis. You may need emotional support, and if you can rely on someone who
you need to tell, you’ll be in a good situation going forward.
Fill out the following next time you have a crisis, or as practice for the next
one:
Who is my direct boss?
___________________
Who do I report to, both directly and in a dotted-line relationship?
___________________
Who needs to react to this immediately?
__________________
Who needs to make a plan to respond? This may include:
The business or client lead
___________________
The communications or public relations people
___________________
The Legal Department or General Counsel, who may need to hire outside
counsel
___________________
The Information Technology or Information Security folks if it involves data
___________________
Who will be mad at me if I don’t tell them first, and does that matter?
___________________
Am I more likely to get into trouble if I tell the person, or fail to tell the
person, about the issue?
___________________
As for Roberta, did she do the right thing? The President of the region
complained to the executive committee that he wasn’t the first to know about
the issue, but the General Counsel and Chief Compliance Officer both pushed
back strongly in front of the CEO that compliance must be independent of the
business. She was supported by a strong tone from the top, and the President
of the region learned that his interests, while important, were secondary to her
capacity to do her job appropriately and in a transparent way.
Using Google Alerts and the Water Cooler
One of your best allies in protecting your business during a crisis (and before)
is Google Alerts. If you have a Google account (this includes a Gmail
account, YouTube account, and many other Google products), you can ask
Google to send you emails when certain words or phrases come up in the
news, other media or on websites.
I recommend creating a Google Alert on your name, the company’s name,
the name of your CEO, and any other words that would alert you that the
media is talking about your company or you. If your company has had a
public scandal (or is expecting one), create a Google alert with your
company’s name and the type of scandal (e.g., AliCo. and bribery) so you are
instantly aware of when something critical hits the Internet.
Words to make Google Alerts:

Your Name: ______________________
Company Name: ______________________
CEO’s Name: ______________________
Trigger word(s): ______________________
Trigger word(s): ______________________
Trigger word(s): ______________________
You also want to monitor the conversations around your water cooler, break
room or lunch area. Be sure to casually go into the places where employees
congregate to hear what they are talking about. You may pick up valuable
information by going where the business people talk.
Understanding the Root Cause
Whenever there is a crisis in business, the Board and executives like to find
someone to blame. Ideally the guilty party is a single individual – a “rogue
employee” who circumvented the immaculate procedures the compliance
department put into place because he or she is a BAD PERSON. Really?
Your job as the compliance officer is to get to the root cause of the problem.
Unless you understand the root cause, it is extremely hard to stop the
occurrence from happening over and over again. Is it possible that Bob in
Accounting stole because he was an alcoholic and needed the money to
support his addiction? Sure. But perhaps there is a pressure-cooker
environment in the accounts department, and lots of people there are turning
to unhealthy coping mechanisms to deal with a terrible boss. As a compliance
officer, it is your job to dig deeper and not to simply accept the party line. If
you don’t address the underlying problem, your crisis will repeat itself.
As a compliance officer, it is your job to dig deeper and not to simply

accept the party line. If you don’t address the underlying problem, your
crisis will repeat itself.
Many compliance crimes are committed by good people who let external
factors color their judgment. Common causes of compliance failures include:
Misplaced or unrealistic sales targets that cannot be achieved by ethical
means;
Unreasonable hours or working conditions, such that the employee
convinces himself/herself he or she has earned the right to steal, bribe,
or commit fraud to make more money;
A culture where winning is the only acceptable outcome;
A culture where fear, ridicule, demotion, public humiliation or firing
occur when sales goals aren’t met;
Incentives set to reward outlandish or overly competitive behavior.
Companies need to look carefully at their compensation structure and

incentives in order to determine whether they encourage compliance and
ethical behavior, or if they cross into untenable territory. Root cause analysis
that goes beyond, “He was a bad guy, a rogue employee,” is critical to enable
compliance to be more effective.
Never Waste a Good Crisis

All crises have a silver lining from a compliance perspective. When
compliance failures occur, the company’s attention focuses on compliance
and self-protection, and this creates the opportunity both for change within
the culture and for resource allocation.
I met recently with the in-house counsel for a global nonprofit company. The
company was considering investing in a global data-privacy program, but the
General Counsel was not convinced that the company needed one. Despite
operating in several countries with high-potential penalties for non-
compliance with data privacy law, he described the situation as “a solution
looking for a problem.” He didn’t want to invest in compliance until it
became a crisis. Sometimes it takes a crisis for people to recognize they need
compliance and that proactive prevention can be infinitely less expensive
than remediation after the crisis. I’m certain that the General Counsel of the
nonprofit will eventually find the problem that will require the solution, but it
will be much more expensive to implement at that time.
Sometimes it takes a crisis for people to recognize they need compliance

and that proactive prevention can be infinitely less expensive than
remediation after the crisis.
If you find yourself within a crisis, see the silver lining, and ask for the
resources you need to stop it from occurring again. Talk about the need to
proactively manage risk, and bring solutions to the Board, C-suite and
General Counsel that can reduce risk and enhance culture. A little crisis can
sometimes be the best cure for compliance malaise.
Implementation
________________________________________________________________________
CHAPTER 7
What Does Success Look Like?
n the beginning of this book, we met Jaleel and Rashanda. Jaleel’s

I strategically planned journey went much more smoothly than Rashanda’s,
but things can change over time. Perhaps Jaleel’s company gets a new CEO
who is hostile to compliance. Perhaps Rashanda’s company experiences rapid
growth and hires three people to work with her, one of whom helps her to
develop strategy around her program. The only thing we know for sure is that
a compliance program is never “done.”
Moving Targets
One of the best and worst things about being a compliance officer is that the
job is never finished. There will always be new laws and regulations. Bad
regulations will be repealed, good regulations will be strengthened, and some
laws will be litigated with outcomes that force you to change your whole
program in response.
If it sometimes feels like your work is never done – that’s because your work
is never done. The Federal Sentencing Guidelines, ISO 37001 Anti-Bribery
Management Systems Standard, and other guidance anticipate a system of
monitoring, auditing and improvement. Don’t fret if your program isn’t
perfect and isn’t finished. It’s the nature of our work.
Once you’ve achieved a goal or target, it will be time to create another one.
In this way, both this book and your program’s lifecycle is a circle. You
complete one three-year plan, and then it’s time to start the next one. You
complete your year-one goals, and then it is time to start working on your
year-two goals.
When managers and power sources change, you need to observe who now
has the covert and named power, and once again figure out which of the Four
Primary Motivators will work with each person. This workbook can be used
again and again as you go through your career. If you’re assigned a new risk
area, or a new law creates a risk area for you, go back through the exercises
to ensure you have a Wildly Strategic response. Your work is never done, and
that can be a good thing! A Wildly Strategic compliance officer will always
be in demand.
Am I a Good Compliance Officer?

Ultimately, we all want to be both Wildly Effective and Wildly Strategic in
this job. I was once asked to write an article on what it takes to be a “good”
compliance officer. The question felt enormous. Should I write about the
areas of law a compliance officer is expected to know? Should I write about
the background and expertise of a typical compliance officer, or the qualities
that they should possess in order to be effective? And ultimately, was I a
good enough compliance officer to even have an opinion about such a
subjective idea?
I started with the list of things I look for when I hire new compliance officers.
These include:
Strong internal fortitude
Capacity to tell the truth
Great listening skills
Genuine enthusiasm for the topic of compliance
Belief in the mission of compliance and ethics
Natural curiosity about the law and an interest in it
Desire and capacity to create systems and policies that work
Capacity for influence, persuasion and communication
As I wrote the piece, I began to wonder, how would someone know if they
were a “good” compliance officer? Assuming a person has all of the qualities
listed above, how would they know if they were truly effective at the job?
I thought for a long time about a single criterion that could determine whether
a person was good or bad at the job. I finally decided the best way to
determine whether a person is a good compliance officer is whether, over
time, the business proactively comes to the compliance officer with
problems, or to ask for advice. The most successful compliance officers are
those who gain the trust of the business, and who become integral to its
operations.
Luckily for all of us, there isn’t a single good/bad barometer, and we can
always learn, grow, and become more effective. It can be helpful to ask
yourself the question: Does the business (or important members of it) come
to you to seek your advice, ask for your blessing before the project starts, or
tell you what is really going on? Then congratulations – you’re good! If
you’re finding it hard to answer the question in the affirmative – take heart!
We are all learning how to do the job more effectively. And that, by itself,
means we’re “good” and getting better.
It is important to know our strengths and weaknesses so we can develop as

professionals. For each of the following statements, give yourself a score
from 1 – 5 (one meaning “Yes! That’s me!” and five meaning “Nope, not me
at all”).
I have strong internal fortitude ____
I have the capacity to tell the truth ____
I have great listening skills ____
I have a genuine enthusiasm for the topic of compliance ____
I have a belief in the mission of compliance and ethics____
I have a natural curiosity about the law and an interest in it ____
I have a desire and capacity to create systems and policies that work ____
I have the capacity for influence, persuasion and communication ____
The business proactively comes to me with problems _____
The business proactively comes to me for advice ____
The business proactively engages with me before they start a project ____
I’m confident that business tells me what’s really going on ___
Where you have higher numbers (fours or fives), hone those abilities even
more. And where you have lower numbers, work on building those skills and
abilities so that you can be even more effective at your job. Focus on being
strategic with your own personal and professional development, which will
help you enormously on your road to being a Wildly Effective and Strategic
Compliance Officer.
Focus on being strategic with your own personal and professional

development, which will help you enormously on your road to being a
Wildly Effective and Strategic Compliance Officer.
Remember Your Mission

When you feel really down (and we all do sometimes), it is important to take
the global view, and remember why we do this job. We fundamentally
believe people in the compliance profession makes the world a better place.
You are leveling the playing field for the small businessman or woman in an
emerging market, because your due diligence procedures are making
corruption less rampant, and rewarding companies with a reputation for fair
dealing. You are making the world a better place by ensuring that your
company abides by fair labor standards, and that supply chain audits occur to
eliminate any possibility of your company engaging in modern-day slavery,
or working with companies that employ forced labor.
When you feel defeated, remember each tiny action in the compliance space
alters the corporate landscape in a way that is changing the world. The tiny
little actions your company takes are made in concert with the actions of
millions of other companies across the continents. Companies, NGOs, and
governments are changing the world, and you are on the front lines of this
change. It is up to you to create the mechanisms, policies, and procedures that
protect your company from prosecution, but these same mechanisms,
policies, and procedures make the world a better place to live in for millions
of people you may never meet.
Remember, always, that you’re making a difference by being on the side of
law and ethics. Connecting to your underlying mission is critical, so you can
keep going during the hard times.
Every Battle Is Won Before It Is Fought
Every ending, in retrospect, is simply the beginning of something new or

different. We began this journey with Sun Tzu’s advice from The Art of War,
“Every battle is won before it is fought.” You’re now equipped to take on the
battle in a strategic and mindful way. You’re ready to use emotion
persuasively. You know how to gain buy-in, and to answer people’s innate
question, “Why should I care about compliance? What’s in it for me?” Your
strategic planning and coordination will result in an effective and resilient
program that responds to risk and prevents misconduct. You are changing the
world.
You are changing the world

Implementation
________________________________________________________________________
Implementation
________________________________________________________________________
Implementation
________________________________________________________________________
Implementation
________________________________________________________________________
Implementation
________________________________________________________________________
About the Author
Kristy Grant-Hart is an expert in designing and implementing effective

international compliance programs for multi-national companies. She is a
speaker, author, professor, and thought leader in the compliance profession.
She is the founder and CEO of Spark Compliance Consulting, an
international consulting company specializing in pragmatic, proportionate,
and pro-business compliance and ethics solutions.
Mrs. Grant-Hart formerly served as Chief Compliance Officer for United
International Pictures, the joint distribution company for Paramount Pictures
and Universal Pictures, based in London. While there, she was shortlisted for
the 2014 Chief Compliance Officer of the Year award at the Women in
Compliance Awards.
Mrs. Grant-Hart is an Adjunct Professor at Delaware School of Law,
Widener University teaching Global Compliance and Ethics to Masters of
Jurisprudence students. Mrs. Grant-Hart began her legal career at the
international law firm of Gibson, Dunn & Crutcher, where she worked in the
firm’s Los Angeles and London offices.
Mrs. Grant-Hart graduated summa cum laude from Loyola Law School in
California. She
holds certification as a Corporate Compliance and Ethics Professional –
International (CCEP-
I) and is a member of the California Bar. She lives in London with her
husband and beloved rescue dogs, Samuel and Mr. Fox.
Acknowledgments
I’ve loved having the opportunity to write this book with the fabulous Donna
Boehme. Your leadership and insight into compliance is a marvel, and I
appreciate everything you’ve done for me and the compliance profession.
Thank you to my beloved husband Jonathan Grant-Hart for your unwavering
belief in me and in our business. Your support has made all of this possible.
Thank you to my feisty, fearless business partner in Spark Compliance
Consulting, and dear friend Diana Trevley. I love you like a sister and
couldn’t be more grateful to have you in my life.
Thank you to our terrific editor, Erin Larison. You’re the best! Thank you,
Karen Luniw, the world’s most powerful coach. Your insight has been
invaluable in this process.
Thank you also to my wonderful family. To my Mom, Kathy Elwood –
you’re the world’s most fantastic cheerleader. Your love and support are
unparalleled. I am infinitely grateful for your belief that I could do anything I
chose to do in my life. To my gifted, glorious, beautiful sisters, Kelly Wood
and Kimberly Black, I love you. Enormous gratitude and love also to Mike
Elwood, Linda Grant, Ian Elwood, Virginia Elwood, Joyce Hart and David
Hart. Family doesn’t get more special than ours.
Thank you to my incredible girlfriends, who’ve encouraged me every step of
the way – Marnie Smilen, Natalie Leon-Walsh, Rachel Mendoza, Alison
Charbonneau, Sarah Powell, Michele Moore Fried, Megan Tepper, and Lisa
Hall. I love you all so much.
And lastly, thank you to my inspiring father, Kerry S. Grant. Even from the
other side, I still hear you singing.

Wildly STRATEGIC Compliance Officer Workbook - Learn The Secrets of Strategy and Planning To Become An In-Demand Business Asset PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Wildly STRATEGIC Compliance Officer Workbook - Learn The Secrets of Strategy and Planning To Become An In-Demand Business Asset PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Wildly

Brentham House Publishing Company Ltd.

Where We Are Now Versus Where We’re Going

Finding the Primary Motivator of Each Power Source

My Notes and Ideas for Implementation

A Tale of Two Compliance Officers

“Every battle is won before it is fought.” - Sun Tzu

Rashanda’s experience turned out quite differently than Jaleel’s. Rashanda

Hard work by itself won’t make you successful as a compliance

Why Every Decision Is a Strategic One

Our Compliance Journeys

Donna’s Compliance Story

I was right to be excited about meeting Donna. She is an internationally

What This Book Will Do for You

Knowing Who and Where You Are

ristotle said that knowing yourself is the beginning of all wisdom.

What’s Your Type, Baby?

Quiz: What’s Your Type?

There are no correct or incorrect answers to the following questions. Each

Answer A. Immediately declare Compliance will handle this.

Your Answer: ___

Your Answer: ___

Mostly As: Authorities

Mostly Bs: Blamers

Mostly Cs: Collaborators

Mostly Ds: Deflector

Knowing Your Type

Riding the Compliance Wave

Stage Two: Crisis

Stage Three: Stability

Stage Four: Forgetting

So Where Are You?

The Cycle Begins Again

Choosing Risk: Do You Really Want

was attending a dinner party on a rainy Saturday night in London. Lewis,

The Elephant in the Room

It is vitally important that as the compliance officer, you have a

Defining the Risks

Unless your company has a comprehensive Enterprise Risk Management

Who Owns Each Piece?

Wildly Strategic Compliance Officer Risk Ownership Chart

Cyber Risk/Identity Theft

Employee Health and

Customer Health and

Culture and Ethics

Wildly Strategic Compliance Officer Risk Ownership Chart – Media

Risk Current Owner Explicit Needs and

Competition/ Compliance for

Data Privacy Unclear – some

Cyber Risks not yet

Trade Sanctions/ Compliance

Employee Health Compliance and

Customer Health Compliance and

Documented and Understood

Wildly Strategic Compliance Officer Risk Ownership Chart – Media

Risk Current Owner Explicit Needs and

Competition/ Compliance for Yes – separation

Data Privacy Unclear – some No – our online

Cyber Risks not yet No

Employee Health Human Resources Yes

Culture and Ethics Compliance and No – Compliance

Reviewing the chart, it should be evident where Compliance has explicit

Risk Assignment: The Next Frontier