October 2014 TYCO’S APPROACH TO COMPLIANCE CHALLENGES How Tyco Achieved Value in Compliance Management CASE STUDY Governance, Risk Management & Compliance Insight © 2014 GRC 20/20 Research, LLC. All Rights Reserved. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliablebbut cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such. Table of Contents Growing Challenges on Compliance Require Change....................................................... 4 How Tyco Achieved Value in Compliance Management.................................................... 5 The Situation.........................................................................................................................5 The Solution..........................................................................................................................5 The Value of SAI Global at Tyco ......................................................................................... 6 Compliance Management Efficiency Value........................................................................7 Compliance Management Effectiveness Value..................................................................7 Compliance Management Agility Value.............................................................................8 GRC 20/20’s Final Perspective............................................................................................ 9 About GRC 20/20............................................................................................................. 10 Research Methodology..................................................................................................... 10 TALK TO US . . . We look forward to hearing from you and learning what you think about GRC 20/20 research. GRC 20/20 is eager to answer inquiries from organizations looking to improve GRC related processes and utilize technology to drive GRC efficiency, effectiveness, and agility. TYCO’S APPROACH TO COMPLIANCE CHALLENGES How Tyco Achieved Value in Compliance Management Executive Summary A reactive approach to compliance, with silos of compliance operations never coordinating and working together leads to greater risk to the organization. To enable effective, agile, and efficient compliance; organizations are developing a compliance information and technology architecture that is dynamic, proactive and information-based. Tyco International could either hire additional employee resources to manage compliance or Tyco could implement a compliance platform to deliver an integrated compliance platform across different compliance, risk and ethics focus areas. Tyco did a careful review of compliance & ethics learning solutions in the market and chose SAI Global as a compliance and ethics content partner GRC 20/20 has evaluated and verified the implementation of SAI Global at Tyco and confirms that this has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Tyco with a 2014 GRC Value Award in the domain of Compliance Management. Growing Challenges on Compliance Require Change In the past, compliance has been distributed and fragmented. Even when organizations had a centralized compliance function to manage critical compliance issues, compliance really was fragmented and distributed across the organization with varying structures, accountability, and approach taxing the business, ultimately leading to inefficient and redundant approaches. Compliance functions relied on document-centric and manual processes that were not integrated, creating challenges in accountability, reconciliation, and reporting. Compliance officers spent more time consolidating fragmented information than they did actually managing and improving compliance. Like the multi-headed Hydra in mythology, these redundant, manual, and documentcentric approaches of the past are ineffective. As the Hydra grows more heads of regulation, ethical challenges and obligations, scattered compliance departments become overwhelmed and exhausted and start losing the battle. A reactive approach to compliance, with silos of compliance operations never coordinating and working together leads to greater risk to the organization. This piecemeal approach increases inefficiencies and the risk that serious matters will go unnoticed. Redundant and inefficient processes lead to overwhelming complexity that slows the business; all the while the business environment requires greater agility. Compliance and ethics has become complex in the globalization of business as the organization manages obligations across jurisdictions, geographies, and cultures. This is complicated by the distributed and dynamic nature of the modern organization which has a complex web of employees, suppliers, vendors, contractors, consultants, and other third parties, causing a mesh of compliance risk that is difficult to unravel and manage as the organization is constantly evolving. Business is dynamic: employees, relationships, ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 4 regulations, risks, economies, litigation, regulation, and legislation are constantly changing. The challenge is that compliance and ethics have become moving targets. The trends and forces shaping compliance require organizations to develop a sustainable strategy and architecture for managing compliance in a dynamic, distributed, and demanding environment. The bottom line: Surmounting compliance pressures on organizations require them to rethink compliance across the organization. To enable effective, agile, and efficient compliance; organizations are developing a compliance information and technology architecture that is dynamic, proactive and information-based. Compliance architecture not only delivers demonstrable proof of a compliance program but also allows compliance to be proactive and forward-looking. This shift enables the ethics and compliance organization to have greater efficiency in processing and managing information, become more effective in ensuring corporate integrity, and more agile in addressing rapidly changing business, regulatory, legal, and reputational risks. How Tyco Achieved Value in Compliance Management The Situation Tyco is an international organization that provides fire protection and security products and services to more than three million customers around the world. With over $10 billion in revenues and more than 70,000 employees across 1,000 locations and 50 countries, managing compliance can be a significant challenge. The Tyco challenge: how to align 70,000+ employees and tens of thousands of third party relationships across more than 50 countries globally speaking more than 20 languages to one set of values? And in that context, deliver compliance training and communications programs that enable and ensure consistency in behavior and ethical decision-making? The Solution Basically, Tyco was confronted with a choice: either hire additional employee resources to collate and report on scattered and disconnected compliance information from a variety of systems, documents, spreadsheets or emails, or, Tyco could implement a core compliance solution to deliver an integrated view of information and technology that would coordinate and automate multiple programs across different compliance, risk and ethics focus areas. If they chose hiring more people, this would not solve the fundamental problem: inconsistent, redundant data and systems. What further complicated this was the fact that manual reporting across systems was not only time consuming and a drain on human capital resources, but it also was prone to error. Manual reconciliation and building of reports introduces errors, oversights, and lacked a good audit trail. Tyco did a careful review of compliance & ethics learning solutions in the market and chose SAI Global as their learning development partner across a number of risk areas. ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 5 The Value of SAI Global at Tyco GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].1 Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment. GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness and agility. Organizations looking to achieve GRC value will find that the results are: nn GRC Efficiency. GRC provides efficiency and savings in human and financial capital resources by reduction in operational costs through automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations. nn GRC Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators. nn GRC Agility. GRC delivers business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events in a timely manner so that action can be taken to contain these and keep them from growing. GRC 20/20 has evaluated and verified the implementation of SAI Global compliance and learning content at Tyco and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized Tyco and SAI Global with a 2014 GRC Value Award in the domain of Compliance Management. 1 This is the official definition of GRC found in the GRC Capability Model and other work by OCEG at www.OCEG.org. ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 6 Compliance Management Efficiency Value Tyco, along with SAI Global has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the human and financial efficiencies they have benefited from. GRC 20/20 has evaluated and verified the following quantitative and qualitative measures of compliance management efficiency value: nn With the SAI Global learning content, Tyco was able to efficiently train more than 45,000 employees through online training. The SAI Global compliance and ethics content was able to assist managing the project to track completions, and help Tyco maintain an efficient compliance training and awareness program across its operations. nn In addition to online training, Tyco has also tracked offline training for more than 30,000 of its employees. nn To provide more focused training and education, Tyco also provides ongoing communications such as live compliance workshops and ethical reflection sessions to more than 20,000 employees. Compliance Management Effectiveness Value Tyco has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the effectiveness of compliance management that the organization has benefited from. GRC 20/20 has evaluated and verified the following quantitative measures of compliance management efficiency value: nn Tyco has been able to confirm that 100% of in-scope third parties under contract are meeting their anti-bribery and anti-corruption requirements. nn Internal training and communication events with SAI Global’s content is being successfully and effectively deployed and tracked, including but not limited to New Hire Training completed within 45 days of on-boarding, and since their program launch in 2008, they have seen the following trends measured on a twoyear cycle: 2008: 58.7% of employees who observed misconduct reported it. 2010: 60.6% of employees who observed misconduct reported it 2012: 72.8% of employees who observed misconduct reported it ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 7 GRC 20/20 has evaluated and verified the following qualitative measures of GRC efficiency value: nn Tyco reports that they have been able to demonstrate how effective their program was. Specifically, their culture survey metrics show that employees are more aware of what is required of them in relation to legal compliance and ethical behavior and are becoming more diligent in identifying and reporting any misconduct observed. nn Tyco’s 2014 ethics & compliance curriculum; Vital Values, includes commitment to GEC, Conflict of Interest questionnaire completion, and education on Data Privacy, Anti Bribery, Raising a Concern, Zero Harm, Financial Integrity and trade Compliance are all critical compliance risk areas of focus at Tyco, and partnering with SAI Global enables Tyco to strengthen the organizations compliance and ethics culture. nn SAI Global’s learning and content contributes to Tyco’s ability to measure overall compliance program effectiveness, which draws key metrics from a range of other Tyco program elements, including: Tyco’s Guide to Ethical Conduct (GEC) has been developed and deployed to every employee worldwide through the SAI Global platform in a consistent and effective manner. Tyco’s Values in Action program in which managers and their teams review and discuss case studies based on real events at Tyco and highlight different aspects of the Tyco values and policies. Compliance Management Agility Value Tyco has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the agility and responsiveness of GRC they have benefited from. GRC 20/20 has evaluated and verified the following quantitative and qualitative measures of compliance management agility value: nn Tyco is now more agile to a demanding business and regulatory environment. This is seen through the flexibility Tyco now has to shift focus and adapt to where the need is greatest. One year Tyco focused on third party management, the next year the focus was on Conflict of Interest with an action plan that included an initiative to ensure all employees and third party business sponsors completed a COI declaration before year-end. Each builds on each other, but also metrics are monitored across risk areas even when the focus shifts to a different compliance risk. nn Tyco has been able to give key GRC stakeholders greater flexibility and agility to focus on key risks and trends, and respond quickly to emerging risks with the appropriate risk mitigation actions. ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 8 nn Tyco’s compliance program has proven agility as it has expanded beyond employees to now include third parties. Tyco now views their third-party program as not just a Compliance requirement but as a valuable business asset in which contracts and metrics are clearly organized with ongoing monitoring and visibility across all third-party relationships in Tyco’s extended enterprise. GRC 20/20’s Final Perspective Tyco has created an Integrated Risk and Assurance Team consisting of members from internal audit, internal controls and processes, legal compliance and IT. This group has been able to demonstrate a comprehensive annual review of enterprise risks (top company risks) and integrated priorities (risks identified by the integrated functions). This Integrated Risk and Assurance Team identifies and prioritizes key risks for Tyco and it’s distributed operations, and develops corrective and preventative measures to address these risks. SAI Global has been able to contribute to Tyco’s success over a number of years and continues to partner with Tyco as an ethics and compliance solution provider. ©2014 GRC 20/20 Research, LLC; Licensed to SAI Global, Ltd. for Redistribution 9 About GRC 20/20 GRC 20/20 Research, LLC (GRC 20/20) provides clarity of insight into governance, risk management, and compliance (GRC) solutions and strategies through objective market research, benchmarking, training, and analysis. We provide objective insight into GRC market dynamics; technology trends; competitive landscape; market sizing; expenditure priorities; and mergers and acquisitions. GRC 20/20 advises the entire ecosystem of GRC solution buyers, professional service firms, and solution providers. Our research clarity is delivered through analysts with real-world expertise, independence, creativity, and objectivity that understand GRC challenges and how to solve them practically and not just theoretically. Our clients include Fortune 1000 companies, major professional service firms, and the breadth of GRC solution providers. Research Methodology GRC 20/20 research reports are written by experienced analysts with experience selecting and implementing GRC solutions. GRC 20/20 evaluates all GRC solution providers using consistent and objective criteria, regardless of whether or not they are a GRC 20/20 client. The findings and analysis in GRC 20/20 research reports reflect analyst experience, opinions, research into market trends, participants, expenditure patterns, and best practices. Research facts and representations are verified with client references to validate accuracy. GRC solution providers are given the opportunity to correct factual errors, but cannot influence GRC 20/20 opinion. GRC 20/20 Research, LLC 4948 Bayfield Drive Waterford, WI 53185 USA +1.888.365.4560 info@GRC2020.com www.GRC2020.com