Twentieth-century philosopher Albert Schweitzer said: “The ﬁrst step in the evolution of ethics is a sense of solidarity with other human beings.” As evidenced by the notorious actions of Enron and Bernie Madoﬀ in the decades at the beginning of the current century, his words ring truer today than ever before. Gone are the days where culture was just an element of a company’s compliance program or seen as nice to have. It’s a new age, and this necessity has been redeﬁned by the demands of the consumer.
Against this background, employees, customers, suppliers and strategic partners are demanding more. Not only are they expecting quality products and services to be delivered in a timely manner, but they also want to know that the company they work for or do business with embraces strong ethics and empowers its people to behave with integrity.
While many companies on Ethisphere’s World’s Most Ethical Companies® list continue to serve the public to achieve a greater good, the technology industry has made particular strides on this front by working to champion innovation and helping others through the power of technology. One standout example of a company that continues to evolve and break through barriers in complex areas such as data analytics is Microsoft, a seven-time honoree.
As it continues to iterate and improve its approach to compliance, the company recently oﬀered Ethisphere a peek through the windows at three innovative strategies that drive integrity and compliance in their business practices. All spring from a cultural and controls perspective: a unique Microsoft Runs on Trust campaign tailored to reach all areas of its business; a breakthrough approach to data science; and the management of a robust ecosystem of third parties in more than 100 countries.
For the Redmond, Washington-based software giant, it all starts with encouraging a growth mindset fueled by long-term sustainable business practices. This is something Microsoft’s Chief Executive Oﬃcer Satya Nadella often emphasizes to cultivate future leaders and maintain trust among stakeholders.
“Growth mindset as well as integrity and honesty are among the pillars of our overall culture under Satya,” said David Howard, Microsoft’s Corporate Vice President and Deputy General Counsel, Litigation, Competition Law and Compliance. “It means we are willing to experiment even if it means we sometimes fail. But we approach things from a learning perspective, always trying to learn from our failures as well as our successes and thinking about ways to innovate and improve. We’ve tried hard to apply these principles to our approach to compliance.” How that works in practice at Microsoft no doubt rings true for many ethics and compliance professionals at large multinationals.
An important part of Howard’s role at Microsoft is to ensure that Nadella’s message as it relates to issues of ethics and integrity resonates among employees and is consistently reinforced around the world. In an eﬀort to ensure that all employees understand their responsibility to make the right decision, Microsoft’s compliance program takes a unique approach to ensuring that the company’s employees and partners are able to understand and live the company’s core values. The company’s program has embraced traditional as well as innovative compliance measures to keep up with the ever-changing digital and regulatory landscape.
“Our approach to compliance is always evolving, and when one works at a global company like Microsoft with over 100,000 employees and people in about a 190 countries, you have to approach it with a certain amount of humility,” said Howard. “The truth is that it’s impossible for a company of our size with the number of employees that we have in all countries where we do business to be perfect. We just have to keep working at it and so when Brad Smith (the company’s President, Chief Legal Oﬃcer and Chief Compliance Oﬃcer) challenged us to come up with some fresh ideas, we went to work.”
Even the strongest compliance program will still not prevent or detect every violation. Indeed, Microsoft has publicly disclosed an FCPA investigation relating to activities in various countries. But the strength of applying a growth mindset to this issue is that when problems arise, a company can learn quickly and pivot its program to mitigate the risk of recurrence. “We try to step back frequently and see whether there are any patterns in the issues that have been coming up,” says Howard. “One thing we recently realized is that Microsoft has the technology to help prevent compliance problems and we started developing improvements that could work for us as well as our partners.”
Embedding and promoting a culture of trust and transparency is never easy. It requires an unwavering commitment that runs through all levels of an organization. Too often companies are unable to reach their full potential because of the lack of trust. Once trust is in place, employees feel empowered, customers feel connected and the industry progresses. The Microsoft Runs on Trust campaign was designed to do just that by ensuring employees understand the fundamental values that should guide their decision and empowering them to make the right choices.
Launched in 2016, the company-wide initiative was developed to facilitate a shift from a rules-based approach to a values-based approach where employees feel inspired to make the right decisions in all corners of the globe. To that end, Microsoft embarked on a massive project to eliminate unnecessary and duplicative corporate policies and simplify the rest. As a result, Microsoft has eliminated roughly 90 percent of its policies and made those remaining easy to ﬁnd, simple to understand and grounded on key values and principles to guide employees’ day-to-day decision-making. Microsoft also launched its Microsoft Runs on Trust campaign to emphasize that maintaining and enhancing trust with customers and other stakeholders is crucial to the company’s business success.
“Trust is about having the ﬂuency to move between cultures and generational diﬀerences and it’s something that resonates with Microsoft’s mission,” said Jeannine D’Amico Lemker, Assistant General Counsel, Oﬃce of Legal Compliance. “As employees come to work everyday and they think about trust and how they are going to do their job — that matters — it matters to their business success and to tie that so deeply to something they often think about means that we are on the right path.”
According to Lemker, equally important to the tone at the top is what many have called the echo from the bottom. To ensure the message from the top is received at all levels, Microsoft’s compliance team prepared tool kits for stewards of the program to help move the message throughout the organization. And it does not end there. To amplify the message, the compliance group has also designed training programs geared toward middle managers to encourage them to talk about ethics and compliance with their teams so that when a situation arises, they have the tools to navigate ethical dilemmas.
“Our hope is that doing good, smart work to measure and think carefully how our tone at the top and echo at the bottom are sounding similar themes means we can feel conﬁdent the message is truly landing,” added Lemker.
Now more than ever, compliance is a comparative exercise. As companies are seeing an evolution of change in practices, a real thirst exists for data and information to measure success and anticipate risky areas. Chief compliance oﬃcers work in an ever-changing legal, regulatory, social and economic environment. And while their roles continue to expand, their focus must remain on identifying and responding to emerging risks. According to Alan Gibson, Senior Attorney, Oﬃce of Legal Compliance at Microsoft, a new approach to help manage an eﬀective compliance program is to “build an early warning and monitoring system for compliance risks by using data science.”
An example of the software giant’s growth mindset can be seen in Microsoft’s Compliance Analytics Program, which employs data science to unlock actionable insights by following a simple three-step approach of gathering, analyzing and reporting. “If you look at the separate skills and disciplines that contribute to data science, it’s overwhelming, but it’s really how you use the data. Often there’s data that you may have access to, but it’s not being used as eﬀectively as it could be in the program,” added Gibson.
One of Microsoft’s core strengths is using business intelligence to see, manage and ultimately prevent unwanted events. While implementing a program that provides prioritized, risk-based analytics may sound complex, there are a variety of readily available software and online tools, including Microsoft Windows Azure, SQL Server and PowerBI that can consolidate data stored in separate systems. Microsoft applied its own data analytics capabilities to the challenge of managing compliance risks and created new data based tools to help the company detect potential issues.
This is an approach that can be extended to other organizations and industries. For example, the CCO at another company can start by framing their compliance risks as business problems that can be answered through better analysis of their own data.
“The starting point is getting an idea of what problems you are trying to solve. Then there are speciﬁc questions that analytics can answer for you,” Gibson said. “It won’t tell you how to ﬁx a problem, but it can provide numbers and names allowing you to identify or rank diﬀerent risks and spot where you may have issues.”
Imagine being able to have all the right data about a potentially risky transaction at your ﬁngertips. Instead of waiting for a call, an email or seeing a public post reporting misconduct, Microsoft’s High-Risk Deal Dashboard quantiﬁes and produces the data in real time to ﬂag an issue before it spirals out of control.
This innovative and highly integrated dashboard allows the software giant to break down data silos by providing a snapshot of the riskiest transactions — identified through data attributes — along with the status of their corresponding review from compliance and business groups across the company. From a productivity standpoint, the data is presented in an easily digestible format through charts, graphs and associated text to prioritize and isolate areas of risk or potential misconduct.
With the launch of the High-Risk Deal Dashboard six months ago, the company started ﬂagging deals for additional review shortly after they were ﬁnalized. The company is moving toward using the analytics proactively in the sales pipeline to ﬂag their riskiest deals for additional compliance oversight before they are ﬁnalized.
The dashboard reveals how interconnected and interdependent the organization is by promoting awareness of the end-to-end process of how data can be used and aggregated across the enterprise. The information collected is supported by detailed workﬂows and training is targeted to the groups accountable for reviewing the transactions. The reviews are used to update the analytics to ensure that the compliance team continues to prioritize the riskiest transactions. “Our High-Risk Deal Dashboard connects the compliance department not just with the data scientists, but also with the ﬁnance and business people who are held accountable and responsible for preventing misconduct.”
Microsoft is the ﬁrst U.S. company and the ﬁrst multinational to announce it will certify its anti-corruption program to ISO 37001. This international anti-bribery standard, released in late 2016, speciﬁes requirements and provides guidance for establishing, measuring, maintaining, reviewing and improving an anti-bribery management system. Certiﬁcation will require the scrutiny of an independent third party. Microsoft led the U.S. Technical Advisory Group of subject matter experts who authored this standard and hopes its decision to move forward with certiﬁcation will lead others to do the same.
“There’s tremendous value in having a consistent approach to anti-corruption across diﬀerent countries, diﬀerent industries and diﬀerent segments of the supply chain,” said Howard. “Currently, for instance, our distributors, resellers and suppliers have to address the anti-corruption requirements of all the companies with whom they do business, including Microsoft. The standard creates a common set of requirements that will provide clarity and consistency.”
“That subject matter experts from more than 60 countries participated in the development and drafting of ISO 37001 over a multi-year period is key to ensuring the standard is useful and relevant to organizations of all sizes, structures and geographies. This is an important bridge that enables organizations, regardless of jurisdiction, to speak the same anti-bribery program language,” said Judd Hesselroth, Chair of the U.S. Technical Advisory Group and Director in Microsoft’s Oﬃce of Legal Compliance.
The list of companies tripped up over misconduct by third parties is long indeed. In today’s complex business environment almost every multinational depends on a third party, vendor or partner to help meet the evolving needs of its business. While this tactic may have many commercial beneﬁts, the associated challenge is taming the risk exposure associated with hiring outside third parties. Even though some companies are tackling this issue head on by establishing vendor governance committees, others rely on existing functions such as a second line of defense — the various risk control and compliance oversight functions established by management — to oversee third parties.
Like many leading technology companies, Microsoft depends on partner companies to provide solutions and achieve a wide range of business objectives. One of the largest companies in the world, Microsoft partners with a diverse set of businesses around the globe. As one of the largest companies in the world, Microsoft partners include a diverse set of businesses around the world such as distributors, licensing sales and services partners, manufacturers and resellers. In this vast and complex environment, Microsoft launched a sophisticated Partner Compliance Program which the Oﬃce of Legal Compliance took the lead in developing.
Microsoft has deemed greater channel transparency a high priority. The company has piloted an initiative in ﬁve countries to transparently disclose the additional percentage discount Microsoft granted to the partner and identifying the Estimated Retail Price (ERP) for the products sold. The eventual goal is to allow the ultimate customers to use this information as part of their negotiations with the partner. Using what they’ve learned from the pilot, Microsoft launched the program for their enterprise agreements worldwide for government and state-owned customers.
“We view this initiative as a journey with the goal of integrating compliance within our end to end partner management lifecycle,” said Kumar Vijayaraghavan, Director, Oﬃce of Legal Compliance. (See Figure 1.) “The variety of partners exploded within the last three to ﬁve years, and we are seeing a transformation of the channel not just for Microsoft, but for many technology companies.”
The objective of the program is to transform discrete partner compliance-related activities into a fully optimized program operating within a coordinated framework. Microsoft sees an opportunity to work together with partners and help them build their compliance capabilities. The initiative establishes a strong foundation for a multi-year program that allows partners within Microsoft’s ecosystem to reach their full potential.
Implementing a best-in-class global partner compliance program requires clearly deﬁned ownership and the ability to sustain, scale and adapt to the ever-changing needs of third parties. With eﬀective and consistent training and partner capability building, companies such as Microsoft could immediately address their most diﬃcult links.
“Given our large number of partners, we know that it will be diﬃcult to reach each one for a routine audit or assessment,” said Vijayaraghavan. “What we’ve found to work is providing our partners with the opportunity to benchmark their practices against their peers using an independent third-party methodology. In turn, we use this comparative data to evaluate areas for improvement, which are worked into our third-party training programs.”
Connecting the dots is the Microsoft Runs on Trust campaign, a common thread that runs through the key tenets of the company’s compliance program. In the case of partner compliance, countries such as India, China and Brazil have organized partner roundtables, bringing together some of the brightest minds across the technology giant to discuss why trust is important. In addition, Microsoft’s Worldwide Partner Conference annually draws close to 16,000 partners to one location and, together with Microsoft regional leaders, helps to serve as a catalyst to inspire integrity and responsible business performance.
“While this is still a work in progress, our goal is to create a platform where partners and Microsoft leaders from their respective countries can engage, share best practices and learn from each other,” added Vijayaraghavan.
It’s not surprising that Microsoft is on the cutting edge of compliance and ethical innovation. It’s also no shock that their earnings reports continue to lead their industry. They have always been on the front end of business evolution, building Schweitzer’s sense of solidarity with people.
Microsoft knows it’s impossible to be perfect. Even if a company does everything right, it can still have issues. But by tying compliance directly to the success of achieving their mission and in an age where trust is as important as the products produced, Microsoft is a best-in-class model for how large multinationals can run their compliance operations.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Aarti Maharaj is Executive Editor and Director of Digital Content at Ethisphere. She has been a Business Journalist for over seven years. Most recently, Aarti served as the Digital Content Editor at Compliance Week, where she covered compliance, risk and corporate governance news both in Europe and around the world. She was also the Editor of Compliance Week’s Global Glimpses blog. Aarti has moderated many compliance-related panels at Ethisphere and Compliance in the U.S. and Europe.
Read more about Aarti in the leadership section on the Ethisphere website: http://ethisphere.com/who-we-are/leadership/.