Subscribe
Share
Share
Embed
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Amanda Raad: Welcome back to the Culture & Compliance Chronicles, the podcast that gives you new perspectives on legal, compliance and regulatory challenges faced by organizations and individuals worldwide. The clue is in the title—culture is at the heart of everything. It’s the endlessly shifting patterns that govern our environment and behaviors. The magic is in amplifying certain patterns and dampening others. Let’s see if we can pique your curiosity, get you to challenge some of your perceptions and give you space to think differently about some of your own challenges. I’m Amanda Raad, and I’m joined today by Richard Bistrong.
Richard Bistrong: Welcome, everyone. We had a wonderful recording the last time with Dorie Clark to start off the year. And today, we have Klaus Moosmayer, who it’s such a pleasure to introduce and to host on the podcast. Klaus is currently a member of the supervisory board of Deutsche Bank. He was a former member of the executive committee and the chief ethics, risk and compliance officer at Novartis, where we had the pleasure of meeting at their beautiful campus in Basel. And before that, he was the chief compliance officer of Siemens. Amanda, if I had to think of one person who represents the growth and respect of compliance programs and compliance leaders in our world, that would be Klaus. So, Klaus, you’ve done a great service to all of us, and welcome to the podcast.
Klaus Moosmayer: Thank you, Amanda. Thank you, Richard. Looking forward to a really insightful dialogue.
[1:45] Getting to Know Klaus
Amanda Raad: Klaus, we’re thrilled to have you here today, so thanks so much. We do these ice breakers so we can just get to know you a little bit better before we dive in, so let’s just go straight for it. What are three things that we should know about you?
Klaus Moosmayer: I’ll start with a more personal thing. In my family life, it’s an international setup, so we are Spanish-German families, and my wife is from Spain. And our kids are living in both cultures—in the Spanish culture and the German culture. Even our dog is from Spain, although we are living in Germany. So, it’s an international setup we are living. Second, maybe more professionally, I made my career basically in corporate crisis situations. I learned a lot, I must say, good and bad things, but I would encourage compliance professionals to make use of crisis situations. This is normally the time when you are tested and when you can make a career—you learn a lot about trust, and people you should trust and not trust. So, a crisis is another important point for me. And then, I would say, people are, for me, very important—people development, how people are making their careers outside their comfort zone, developing a team. This is also what’s always very important for me in my professional life.
Amanda Raad: Thank you for that. Alright, one thing that you are curious about?
Klaus Moosmayer: Learning new things. And I know, Amanda, you are a great driver of behavioral science. I’m not a behavioral scientist but I learned a lot about behavioral science from experts, and this was in my later stage of the career, after Siemens, when I came to Novartis. I think it’s important to stay curious, even on a high seniority level, to be open to new things like behavioral science in compliance and ethics and risk management. So, be curious, be open.
Amanda Raad: Every day I feel like I’m learning more about it. When we first started looking into behavioral science, I was so fascinated by how often it was used for commercial purposes and advertising, and not in risk. So, curious on that too. And the last thing that surprised you?
Klaus Moosmayer: I recently heard from a very renowned private business school, which also runs a board center, that said, I quote, “Compliance is not a strategic talent for boards.” I believe this is absolute nonsense, and we will definitely talk about it. But Amanda and Richard, this is still so surprising. And I’m biased, of course, that even at really great places like this major private business school, there are serious people telling you that compliance professionals should not sit in boards—this is very surprising for me.
Amanda Raad: Yes, something to be curious about too.
[4:45] Defining an Integrated Assurance Approach to Governance, Risk Management & Compliance
Richard Bistrong: And we’ll definitely deep dive into some of those issues. Klaus, I remember when we were at the International Anti-Corruption Conference in Lithuania, and we were talking about an integrated approach to governance, risk management, and compliance, and I still won’t forget how you shared, “Richard, we need to make this a movement.” So, Klaus, for those who might not be familiar with the concept of an integrated assurance approach, maybe you could share some thoughts so our listeners too can join this movement.
Klaus Moosmayer: What a wonderful conference we had together with so many people from different countries, diverse backgrounds. The next conference is coming up this year in December in the Dominican Republic, by the way, so a little bit advertisement if your people want to offer workshops so they can apply already. If I look at the development of compliance—and Amanda and Richard, you know this best—it developed from anti-trust, anti-corruption, data privacy, export controls, human rights, cyber security compliance, third-party compliance. Now, companies often are just patching and putting siloed departments to cover all these new regulatory requirements. And then, you have the risk department. You have the strategy department. You have the audit department. They often don’t speak even the same language, and this creates a turmoil in companies if you want to come to holistic views on risk management. From an executive committee and board perspective, it makes your life really difficult because you get siloed information from all of these assurance providers.
In the idea of integrated assurances, what if you could bring governance, risk management, compliance, and controls into one basic framework? This can be done by one centralized organization. It can be done as a policy theme that at least the functions talk to each other, use the same data, and maybe also work on the same processes. So, there are different ways how to implement that, but the basic idea is to go away from this vertical view on silos—needing deep expertise and people defending their turf—to a horizontal view where basically risk management educates governance setup, compliance, policies, and controls. And this should also reduce the level of bureaucracy and craziness on the process landscape, which all of these compliance and risk silos are normally basically providing for the company.
Amanda Raad: Richard knows well that I love to go through those what I call “ABCs of risk.” Richard always reminds me, I did use the phrase once “tsunami of risk,” and as you were naming them off, it’s so true. As more risks come on and/or they move up higher on an enforcement agenda somewhere, it necessarily bumps the attention of others further down, and so, you’re always playing this game of catch-up. I’ve been talking until I’m blue in the face about trying to break down those silos and bring people together, bring the data together, bring the information together, but I have to say, I’m so curious from your perspective in the “how.” And one idea that I have is to use the crisis, as you talked about—use the big shake-up moments to try to actually redesign some things and start over. But I have found for a lot of organizations—especially bigger organizations that have spent a lot of time and energy thinking about how to build up these programs—they get a little stuck and twisted up in their infrastructure. I’m just curious if you have any examples there of how to bring that philosophy to life.
[8:45] How to Bring an Integrated Assurance Approach to Your Organization
Klaus Moosmayer: Amanda, I think you’re absolutely right. And we will maybe also talk about the resistance towards this concept—there’s emotional resistance maybe and defending your turf and your expert organization. I think in corporations we always need tangible examples. If you talk about assurance, integrity, do people really understand what we are talking about? Let’s take third-party risk management, which has pained many companies—business is always complaining that the third-party vetting, due diligence takes too long and it’s obstruction for business. Why? Because every assurance silo passes their own third-party due diligence and approvals. So, what is integrated assurance? If you have one holistic third-party risk management system and based on a sound risk assessment, you plug in sanctions controls (if needed), anti-bribery, human rights, maybe health safety environment, quality control topics—from an integrated assurance, global thinking, “What do I need for this provider?” If you don’t do this, you end up in a very lengthy process. You always forget something. You’re not agile, as you just said, given the regulatory development to bring in actual things. Sanctions screening was years ago irrelevant for many industries. Pharma, it was irrelevant, basically, because there was always the good reason to basically procure medicine, but now, it’s different. A pharma company has to do the same third-party due diligence on sanctions as any other company, and without an integrated assurance system, it will not be fast, agile, and really sustainable. And there’s also a business case argument. I have the proof point—it’s much cheaper if you do it centrally on an integrated assurance level, instead of, let’s say, every year a compliance/risk department doing their own approach, just as one example.
Amanda Raad: I love the cheaper example. I also think it can be more effective, because the work that it takes to get all of the data into one place then becomes accessible to the business too, to be able to use for their purposes and their decision-making.
Klaus Moosmayer: Another example, if I may, if you think back on the COVID times, the pandemic, where many companies started support and donation programs in the crisis—you had to be very fast, but only if you work together, the crisis management team, the procurement team, the compliance team and so on, you get a good control around reputational issues. If you’re in a crisis and want to help, if you want to make donations to the communities, it has to be an integrated assurance approach, because the crisis management has to work hand in hand with the risk management, the compliance people, the audit people, and lawyers to get this in good hands.
Richard Bistrong: It’s so counterintuitive, isn’t it? If there’s a new regulation, a new risk, or a new crisis, the natural reaction is, “Let’s make a new department and find a vice president to head it.” So, this is the opposite of that. And in your articles in Risk & Compliance magazine, Klaus, which you were so kind to share, and we’ll put those in the show notes, you talked about reputational risk and crisis management. How does risk and crisis management intersect with an integrated approach? Because that would also seem to be another department.
[12:25] The Role of Risk and Crisis Management in an Integrated Approach
Klaus Moosmayer: I believe the three elements of crisis management, risk management, and business continuity management need to work together. The best example I can give you—and I think many companies are doing this in practice—is how to act on cyber attacks or big loss in IT. You have to do a proper risk assessment. Then, if the crisis hits, there has to be seamless crisis management, including—and you know this best—reputational topics, compliance topics, investor relations topics, and what many companies forget, the business continuity thing fits in. How do you keep the company going? One very practical example: how can you do payroll if your systems are down, if you don’t pay your people? When we look from a risk management point of view on these big cyber threats, of course, in a pharma company, “Can I still ship my medicine to the patients?” Because if not, the people simply die. It has to be all taken together. Another example of integrated assurance—risk management, crisis management, cyber, legal expertise—someone has to coordinate this, and not only when the crisis is in the risk management phase when you think about scenarios which could hit the company. So, I think that’s a question of life and death, to be honest, for corporations and a big argument for integrated assurance.
[13:55] Critical Functions for an Integrated Approach
Amanda Raad: Are there key functions that we should not forget that really are voices that need to be represented?
Klaus Moosmayer: I see in the core, the risk and compliance function as the one who at least structure the process and run the show. I’m biased, of course, there—these people have survived crises; they’ve run all kind of different situations; they know normally very well how to communicate and to train. Not unimportant that you make this also a good communications topic we actually can explain. I would say, a crucial department to get included—and often forgotten—is the strategy department. Strategy departments often are heavily involved in risk management without involving the risk managers, so we always invite the strategy department for all assurance sessions, because that’s very helpful. Human resources is crucial—and I know this is now speaking to your heart, Amanda and Richard—if you want to get the cultural, people dimension into integrated assurance, the ethical dilemmas, the way people should behave in the company, you need more than support. You need cooperation with the HR department, which is very difficult surprisingly. I’m a big supporter of a clear separation between the legal and compliance organization, but legal is very important. You need good legal advice for these assurance topics, but legal has to find its place into an integrated assurance model, and not as the leader, from my point of view—and this is a controversial debate, of course, in companies. Then, the last but not least, I always try to get the business voice involved in the risk workshops, in the ethical debates. The business has to have a very strong voice in all these assurance discussions—if not, it’s not credible.
[15:50] How to Get Buy-in From a Cross-Functional Perspective
Richard Bistrong: Klaus, a clarifying question, because when you talk about HR and you talk about legal, these are highly complex and established departments. And, as you shared in the article, those can be significant resistance points to an integrated approach. In your career, have you seen any best practices to help HR and legal appreciate that this is in the interest of the business—this is just not grabbing more responsibility at the cost of another department?
Klaus Moosmayer: On HR, I would give you one real-life example. We normally try to make people aware of the culture of a company when they on-board. We do the first training. We do the first workshops. And we said, “Why should we not start together earlier, and in the recruitment process together with HR, include questions about ethics, culture, risk management just to give the candidate already the sense, this is a company which takes ethics and assurance very seriously?” And we not only ask you: What is your credential? What was your grade in Harvard Business School? What is your expertise? But also: What would you do if you have a sales target and you would say, “I can’t achieve it?” This was a convincing experience for HR to say, “Yes, that’s also beneficial for us to get the culture a step ahead, prior to on-boarding already in the recruitment process.” I think this was a very healthy collaboration and successful collaboration.
[17:30] Board Responsibility
Amanda Raad: Such a good example of showing the collaborations that you just referenced. So, you talked earlier about some board positions that surprised you—positions on compliance or the role of compliance on boards. Speaking a little bit more about trying to bring an integrated assurance model to a board, when boards are extremely limited on time and have a whole host of priorities of things that they’re trying to work through, how do we think about getting board attention on this?
Klaus Moosmayer: I’m always a little bit surprised that many boards are arguing, “We have no time and so many things to deal with.” If you just take a step back and think, what are the three most important topics boards should consider and take time? Strategy, definitely. It’s reputation, I would say. And risk management. I would argue, these topics are at the center and core and heart of an integrated assurance system where you need people. If you are in the board, either as a presenter or as a board member, you have to be strategic, you have to think broad. But I would insist, good risk management, a high sense on reputational topics, and how it fits to strategy, these are core topics every board should consider. I believe integrated assurance professionals can add a lot of value in this regard.
Amanda Raad: You made that sound so simple, and I guess that what it’s really all about, is taking what seems perhaps impossibly complex and taking a step back. I love the way you just tied that together for not only what boards should be thinking about and need to be thinking about, but also, what kind of person can bring that information effectively to the boards. And, in fact, how do you do it? By trying to present your argument, position, offering, or your proposal into those buckets that you just set out, that goes a long way. We hear a lot of time on this podcast too talking about resources and how people do or don’t get the resources they need, and I think, sometimes, it’s about how they present the “why” behind whatever they’re trying to actually present or achieve.
[19:45] Integrating Behavioral Science
Richard Bistrong: Klaus has an article specifically about this issue in Risk & Compliance magazine. This is a lot more than presenting whistleblower reports to your audit committee—this is very complex in terms of all the different functions within the board that need to be addressed to make this work.
So, Klaus, let’s take a look at behavioral science, which is near and dear to all our hearts. Your team at Novartis were early movers and thought leaders on how we use behavioral science to inform ethical decision-making. Now, I’m sure this could be a whole other podcast and maybe it should be at some point, but I’m really interested to know, how did you start integrating behavioral science? And how can we help our listeners understand the importance of using behavioral science to inform ethical decision-making, especially in our environment of regulatory uncertainty? This is a lot more than just following the law, because, as we’ve shared, the law’s changing.
Klaus Moosmayer: I believe especially in times where there’s increasing regulatory complexity and sometimes increasingly contradiction, people feel vulnerable, I think the more important it is to talk about principles. What are we standing for in the company? What are our core values? What is our constitution in the company? I always think that the code of ethics is the constitution of the company. Many companies operate on code of conducts, which are legal compliance, and they are fine—they tell you what is legal and illegal in a certain way. But talking about behavioral science, what I learned is this is not enough to get to the hearts and minds of the people, a code of conduct. The people may be even trained, but if you ask them, “What stood out for you three weeks after training?” no one would give you any clear answer because it’s a legal text. So, for me, what is important: start with the principles and the basics, and this is the code of ethics for the company. And there, you need behavioral scientists to help you reach the people. What is really important for them? What should be written in the code of ethics? Maybe the employees should write a code of ethics. Make use of possibilities we have now in this digital world to make basically as many as possible employees part of a new code of ethics using behavioral science. Asking which context you are living, what are the challenges you are facing? What are 10 most important topics you want to read in the code of ethics? Is it helpful to attach to the code of ethics to a kind of system which helps you talk about your biases you may have and do ethical questions? So, I think we need to really reinforce the importance of the basics, the principles, the code, especially in these times where everyone is super insecure and is pointing to the regulators and all the disruptions we see. The constitution gives you the safe ground, at least, for the big decisions in the company and in your personal context where you’re living as an employee or as a leader.
Richard Bistrong: Anyone who’s not following your LinkedIn feed needs to follow your LinkedIn feed, because you’re so generous in what you do and how you share best practices. And I believe, if memory serves correct, you crowd-sourced your code of ethics at Novartis, which was the first time I heard those words in the same sentence. Can you talk a little bit more about what that looked like?
Klaus Moosmayer: We had to do it, because we had the pandemic. And when we said we need really a code of ethics to replace the code of conduct, we said, “Let’s make use of the situation that we are all digitally connected. Let’s create user accounts, which is at no cost basically.” So, don’t come with a cost argument if the people say, “Make the code of conduct small. Use a couple of experts in the headquarters and do a new edition, a little bit of shaping.” Be bold. It’s no cost to build digital user communications and communities to get the view of people. Go to all the countries. My main lesson in behavioral science is you need to speak to the people in their context. What is relevant for them? What are the pressure points? What are the issues which they are facing in their daily life? And then, get this back to the central team. Start a dialogue. Make the voices. Make the people proud to be part of the project to give a quote, to give their picture even. We picture then the real-life employees at the code—they’re very proud also. We did a launch event just to make this a really joint emotional happening. And that’s not about millions of dollars you need to invest—it’s just creative ideas and making it happen in companies with crowdsourcing.
Richard Bistrong: I remember seeing some very emotive videos after it was launched. So, I think you’re right—you can move hearts and minds well beyond a code of conduct. And just to add a little bit to that, Klaus, there is some recent research that talks about Gen Z and the younger part of the workforce that if they feel that they are a part of implementation and that they’re brought into it, they’re much more likely to embrace a code of ethics. Where, if they think it’s five people in windowless offices just churning out rules, policies, and procedures, they are much more likely to circumvent them because they don’t really believe that the people who wrote them understand what the business challenges are.
Klaus Moosmayer: Absolutely. Couldn’t agree more, Richard.
[26:00] The “Tightrope” Between Being a Partner and a Police Officer: Stewardship
Amanda Raad: One of the things that we often talk to people about is this perceived tension between the role of compliance in protecting the ethics of an organization and also enabling business. People talk about that sometimes as if there’s a tightrope to be walked there—and actually, the example you just gave of crowdsourcing seems like a really great way to walk that tightrope. But beyond that, we’ve heard you talk about this in terms of business stewardship. Can you tell us a little bit more about that?
Klaus Moosmayer: When I started in compliance more than 20 years ago, the image of the compliance officer was a police officer basically. It’s still somehow sometimes there, but I would say, there was a good shift. And also, thanks to you guys, because you are driving this so much to make this a topic which is engaging, you get educated people in compliance—it became a profession, and great people in there. It became historically more from the controlling side. And then, there was a trend to be only a business partner, which I also found weird. There was a time when compliance people told me, “I would never say ‘no,’ because that’s not my role. I’m just a business partner.” And I said, “This also can’t be right, because they have to be honest. There have to be points where you have to say ‘no’—hopefully not every day, but there have to be situations.” So, we thought, and we said, “You can debate words, but it’s this business stewardship.” A steward who says, “I am a steward. I’m, of course, also an expert, but I’m also an influencer— someone who thoughtfully influences the organization—and a connector,” what you have to be in integrated assurance. You have to connect different departments. Sometimes, you may have a formal mandate for this—sometimes, you do it more informally. And, as a steward, sometimes, you have to say this is going the wrong direction, “We have to steer differently.” And so, this notion of sometimes saying, “No, that’s not the way we can do it,” is also important. I think this fits nicely into integrated assurance, to be someone who connects, influences, and steers a company forward.
[28:20] Key Takeaways
Richard Bistrong: That is a fine tightrope to walk, but such an important one. Klaus, this has been such an inspiring conversation. Thank you so much for helping us to understand that this is in the realm of possible. This is just not an abstract theory—this can be done. Amanda, any key takeaways?
Amanda Raad: I really loved what you just said about being a connector, because, for me, that sums all of this up. We’re talking about bringing people together, breaking down silos, sharing voices, and I often say that that’s the thing that I feel that I have the most value in and that I get the most enjoyment from is connecting the right people. I may not have the answers, but getting the right people connected, I get huge satisfaction out of that. I think it’s so important, and I think it gets missed all the time as people try to go alone and handle situations. Thank you so much, Klaus. What about you, Richard? We need your takeaway.
Richard Bistrong: My takeaway is for organizations to appreciate that the integrated assurance approach—let’s just share what it is—it’s going to be work. It’s going to have to be intentional. It’s going to involve a lot of different parts of the organization. But more work now leads to more efficiency, less bureaucracy later on. So, I think my key takeaway is to show your functional peers what the finish line looks like here, and it’s a pretty good finish line, but to get there it’s going to take some work. My other key takeaway is I love your code of ethics is the constitution. And, Klaus, I noticed that you didn’t say your code of conduct is your constitution—it’s the code of ethics, and I think that’s such an important distinction there in terms of what drives the heart and the minds of a company and their employees. So, Klaus, as we draw to a close, any final advice for our listeners?
Klaus Moosmayer: For all these wonderful and courageous compliance and risk colleagues out in this world, be very proud of what you do, and in the spirit of what Amanda said, try to connect. Amanda and Richard, you are just great examples to connect the community, which is so important. I would encourage every risk and compliance professional to really—I know it’s difficult next to the demanding day on day work—connect. Try to write something, go to conferences, exchange best practices. And, again, I know the day is full of tasks, but to bring our path to a next level, we need everyone engaged. You said at the beginning, Richard, it has to be a movement to bring compliance to the next level of integrated assurance.
Amanda Raad: Well, I don’t know how to thank you, Klaus—that was really, really terrific. Where can listeners go to find more about you and your work?
Klaus Moosmayer: I always believe that it’s good in a professional way to share experiences and stories, so I really publish a lot on LinkedIn and try to bring the articles. Sometimes, they are behind a pay wall—I know it’s difficult—but the Risk & Compliance magazine is a great resource where you can find the full articles, for example. Follow me on LinkedIn and write to me—I always try to respond to each and every inquiry and question I get, promise. Again, I believe as a community, Amanda and Richard, we will grow together.
Amanda Raad: Thank you all for tuning in to the latest episode in our Culture & Compliance Chronicles series. For more information about our series and any of the ideas discussed, take a look at the links in our show notes. You can also subscribe to the series wherever you regularly listen to podcasts, including on Apple and Spotify. We’ll be back very soon for our next chapter. If you have topics that you would like us to cover or novel perspectives you want everyone else to hear about, please get in touch. Thanks again for listening. Have a wonderful day and stay curious.