MyComplianceOffice Managing the Complexity of Conduct Risk and Culture Third party Risk Management is a global Phenomenon 14th December 2016

The World of Compliance has Changed The expectations for compliance have changed significantly in the last 20 years and accelerated in last 7 years Written policies………tone from the top…….even evidencing you are following your policies are no longer sufficient It is now about “good compliance, not mere compliance.”1 Conduct / Culture It’s about employee conduct at all levels Not just tone from the top Need tone from the middle also Role of conduct of third parties Best practices discussion is moving to values Compliance = rules, written, defined, monitoring, disciplining misconduct Values = principles, appropriate conduct, rewarding ethical behavior Source: Deloitte (2015) 1 1 Source: Deloitte (2015): Corporate culture: The second ingredient in a world-class ethics and compliance program

Conduct Risk: The Expectations Treat Customers Fairly Sales Practices and Motivations Act in your customer and investors’ best interests Conflict of Interests Do you now what your third parties (vendors, counterparties, sub-advisers, suppliers etc.) are doing? Regulation isn’t going away. More regulatory scrutiny on an ongoing basis. Not just a US issue, will impact all parts of your organization whatever the jurisdiction Demonstrate that firm is in control of its Conduct Risk

Conduct Risk: The Challenges Inherent Contradiction Rationalisation for budget Firm’s objective is to make money But conduct risk expects firm to act in best interest of customers or investors Third parties not aligned with organization’s objectives Asking for funds with imprecise justifications improve culture protect reputation defend against regulators Very fuzzy returns Relative maturity vs peers People at Core of Potential Misconduct Nature of Data for Control & Monitoring Data within organization across many, many systems Unstructured data Need to obtain data outside the organization Motivations (not always aligned to the firm’s motivations) People are changing over time Inconsistent (having a bad day!)

The Interrelating Components for Monitoring Conduct Risk Disparate Silos of Internal Unstructured Data Systems People Shareholders Internal Silos of Structured Data Stakeholders of Third Parties Employees External Silos of Structured and Unstructured Data

Conduct Risk: Methods Employed Culture Controls, Policies and Procedures Tone from the top Consistency Application of messaging Tone from the middle Breadth of organisation Expectations are defined Do what you said you would do True monitoring Defense against regulators Communication Actions Employee engagement Ongoing third party communications Demonstrated consistency Across all levels of organisation

Conduct Risk: Tools and Technologies Current Future? Whistleblowing Education Training Communications Usual (structured) GRC software monitoring solutions Attestations Pre clearances Logs Approval workflow Control management Case management Testing Unstructured data monitoring Instant messaging Online conversations Documents Web Social media Phone Common standards for external data Common ontologies Regulator incubators Regulator approved technologies Big data analysis (especially unstructured data) Focused research centers

The circle of compliance culture Regulatory Rules, Enforcement, and Impact to Reputation Defined Policy Monitor Procedures in Code of Conduct (Employees and Third Parties) Change of Culture Ethical decisions are embedded; Becomes part of the way of life Significant reduction in need for monitoring Many firms initially monitor to “tick the box”. Monitoring does change the culture of compliance. The change in culture embeds the compliance policies as way of life in the firm. Then monitoring is not as critical as there culture is embedded. Monitor To Change Culture  Culture Reduces the Need for Monitoring

Code of conduct maturity model Leader Feels like Use of IT Value driven processes with much less concern for rules. Also directing customers and suppliers have appropriate code of conduct. Corporate Social Responsibility(CSR) taken seriously. Integrated IT Platform Culture is extensive Pervasive Very mature program; Actively encouraged at very senior levels of organization. Tone also existing in the middle. Integrated tool for automation. Active hotline and consistent case management. Tone in the Middle Monitored Ceiling A mature program; Well supported from executive management. Implementation of policies is visible. Automation tools in use but often silos of data. Some manual. No integrated view. Active Sr Support Some IT Tools in Separate Silos Emerging Immature but evolving program. Some automation tools are employed but paper, email, wet signatures used extensively. Support from most executive management. Tick the box Initial Some straightforward training in place. Hotline but perhaps little activity. Limited support from executive management but gaining momentum. Pause after what it feel like to ask where firm perceives themselves to be. Most firms we speak with have policies, training, hotline, some initial employee processes. Starting to look at tools or we see the ones who have hit the ceiling and need to replace what they have with an integrated solution. Some support Basic Policies written down but not monitored; Little attention from executive management. Not even lip service No IT Tools