10 insights from ‘Defining roles and responsibilities’ best practices webinar with PANDORA
The world of governance, risk, and compliance can be complex. To help you navigate the challenges and realities of your compliance solution and add value to your work, our new webinar series Compliance Best Practices asks a range of leading experts to share their best practices and tips for success.
We launched our series this week with the mastermind behind PANDORA’s global privacy program – Clara Kromann.
Interviewed by Complyon CEO and Co-founder Julie Suhr, Clara was invited to explore the topic of how to plan and implement a successful compliance management program, with a particular focus on how to identify relevant roles and responsibilities from the start.
You can watch the full webinar here or find our top ten insights below.
But first, let us introduce our webinar guest…
Clara, Attorney-at-law for PANDORA, joined the global jewellery brand in 2018 with the initial task of implementing GDPR and privacy policies into the organisation.
Working largely on her own, in a non-process driven and unregulated enterprise, Clara adopted a number of strategic and creative ways to improve the understanding and commitment to compliance within the business.
The result of her approach was the launch and development of PANDORA’s global privacy program. which is currently implemented internationally by a newly formed compliance team, with Clara now guiding and advising the business on all things privacy, digital and technology-related.
With her experience of building a successful compliance program from the ground up in a non-regulated sector, Clara was our go-to guest to discuss the challenges of communicating responsibilities relating to compliance and the benefits that occur when this is done consistently throughout an enterprise.
Read on for ten major insights we gained from Clara in our first-ever Compliance Best Practices webinar.
1. Establishing roles and responsibilities is the foundation of a successful compliance program
One of the reasons Clara was a keen participant in our series was her enthusiasm for the webinar’s topic. “I think [roles and responsibilities] is one of the most central topics for anyone who is building or in the middle of implementing any type of program,” said Clara, “it’s one of the ground pillars of compliance activity.”
Drilling down into why the subject is so important, Clara explained that defining roles and responsibilities provides organisations with the foundations needed to ensure that you create a “sustainable compliance program” that lives on and keeps developing.
This step introduces the necessary accountability to your program, ensuring it doesn’t end up in a place where you create and define a great set of activities but then have no one to drive them, grow them and keep them compliant.
2. Building a sustainable compliance plan needs to consider three main components
When asked about what advice she would give to those establishing a new, sustainable program with the hope of long-term impact, Clara replied: “I think it’s extremely important to know your organisation and for me, that meant focusing on three areas: culture, ways of working and strategic direction.”
She built on her these focus points with the below questions:
- Culture: Who does your company employ? What is the culture among staff? Is there a compliance-driven culture?
If, like PANDORA, your business operates in a non-regulated industry, can you identify what else drives workplace culture?
- Ways of working: What are your ways of working? How do different people or departments work in your organisation? Are you a very process-driven organisation? Or are you not?
- Strategic direction: What is your strategic direction? Where are you going? What is the driver behind the business? For some companies, compliance will be a huge driver, whereas others, for example, will be driven by sales.
With these three areas covered, you have a much better baseline for defining what makes sense for your business’ governance framework and can help you establish what actions you need to take next.
3. Switch your legal mindset for a strategic one
Clara continued to stress the value of strategic direction, which she deemed “the most important factor” when looking into roles and responsibilities, but warned strategic thinking doesn’t necessarily come naturally to everyone working in compliance.
Typically, many of us in the sector come from legal or compliance backgrounds, which provides many benefits, but, according to Clara, has one major drawback:
“Coming from a legal background, I haven’t been trained to think very strategically from the outset. I think that it’s important to maybe throw a bit of that legal/compliance mindset away, put on your best management and strategic consultancy hat and really look into what drives your business.”
Activating your strategic mindset means you can align with what drives your management team, allowing you to then find ways to tap into those goals and get the necessary attention and buy-in that you need.
For instance, at the time Clara began planning her program, PANDORA was in the middle of a huge turnaround program to become an extremely data-driven brand that champions best-in-class practices.
Clara looked at specific KPIs, such as the push for greater personalisation, and incorporated those projects into her program to give her plan weight and relevance.
“Look for what you can find that connects with your business agenda”, advises Clara. “Find documentation, or whatever is put to the stakeholders and… dive into that.”
4. Get to know your C-suite one-on-one
In addition to aligning compliance activities with specific business drivers, Clara also took the time to really get to know and understand her C-suite before assigning her programme’s roles and responsibilities.
“I sat down with identified stakeholders in top management and had one on one interviews with them to understand – what drives them personally? What are their KPIs? What is on their particular agenda that I can utilise and tap into?”
Taking the time to speak to management individually also gave Clara the opportunity to explain how her program could help her colleagues reach their goals in a safe, compliant manner, gaining key support for her initiatives.
Getting to know your senior team says Clara, also reveals the best recruits for your program:
“Make sure you understand [your management]. Then you know who will be great stakeholders in terms of roles and responsibilities going forward. Because, if you can understand what their agenda is, you already know who in your business is the most compliance-driven”.
5. Buy-in from C-suite is integral to the success of any compliance plan
If anyone was in doubt as to the importance of securing C-suite support, Clara echoed a key belief we hold at Complyon, saying: “[Setting the] tone from the top is absolutely essential.”
“When it comes to getting commitment from the individuals in your organisation, you need your management to be the ones that stand up and set the tone. If they are not ready to work and formulate the direction, you’re unlikely to ever get buy-in from the rest of the organisation, especially [further] down in your organisation.”
Clara explained a lack of management support creates two kinds of people. There are those who understand what you’re doing and “from the good of their heart” might take on some responsibility and implement your activities, despite themselves being at 100% capacity. Then, there are those who, without management involvement or any incentives, will question your work and its relevance to them, which does not bode well for the success of your program.
6. Offer a variety of ‘carrots’
When asked by webinar host Julie Suhr about her thoughts on practical measures businesses could take to increase buy-in from the entire organisation, including those who don’t feel compliance is “the most interesting topic”, Clara responded:
“I think you can talk about the carrot and the stick [approach]. You will have some people who are very much purpose-driven, who understand the purpose behind what we’re doing and the importance of it. And that’s really great – they already see the carrot.
But there will also be a need for other carrots for what [some] people will look at as the stick, which I think is embedding compliance-related KPIs or goals into performance evaluations and personal development reviews.”
Speaking of her experience at PANDORA, as well as knowledge of other companies that are mature in their compliance journey, Clara suggested that if you want to increase commitment, you should set specific goals that tap into your program agenda and make sure these are applied throughout the organisation, from the bottom to top management.
“I can assure you”, confirmed Clara, “if that is done, you will 100% achieve what you set out to.”
7. Choosing between a centralised vs a decentralised compliance team is company-dependent
The webinar also touched on the much-debated topic of whether compliance teams should operate as centralised or decentralised teams.
Reminding us that there is “no golden nugget” when it comes to opting for a decentralised or centralised model, Clara spoke of the need to examine your company’s structure.
“In general, at least from my experience, if you have an extremely process-driven organisation with a compliant culture and employees who are very used to working with frameworks, it works really well [to have] a centralised organisation.
In relation to Pandora, we didn’t have a very compliance-driven culture or process orientated organisation. So what we did and what we actually still have today is a very decentralised organisation where we have privacy people in the various functions.”
Clara believes the benefit of this decentralised structure allows companies to have compliance people truly embedded within the organisation. People are close to the action and, therefore, more able to pick up on what is happening in real-time and report back.
Adding her insights to the topic, Julie agreed, saying: “What I’ve seen from our customers is that it makes sense to start up being very centralised and then maybe pushing that out and being more decentralised as you [develop].”
8. Securing compliance buy-in takes time
Regarding timelines, a message Clara was eager to raise was that compliance does not happen overnight. “It was a journey. “It’s not something that happens from one day to the next”.
In particular, getting to know management and having the opportunity to find times that worked for busy diaries, then learn more about what drives individual C-suite members, was a process that needed some time.
9. Never forget that a compliance programme should be dynamic
Talking more on the topic of managing expectations, Clara was eager to stress the importance of the maintenance of a compliance program, saying: “I think [maintenance] is something that keeps challenging organisations.”
Clara highlighted that many who share her legal background don’t necessarily like things to be in a constant state of flux and are more used to counting on their work staying within the same framework.
However, no matter what your background when approaching compliance, Clara reminded us of the importance of change:
“It’s extremely important to recognise that what you do is not static. It’s dynamic, and you need to have a mindset and an approach that follows the organisation. You will never be finished with compliance.”
10. Software counteracts issues of accountability, productivity and knowledge gaps
Rounding off the webinar, Clara and Jules discussed the value of incorporating software such as Complyon into a compliance plan to help ensure successful implementation and maintenance.
Following a short demo of the ways in which Complyon facilitates assigning and monitoring roles and responsibilities, Clara commented:
“I think that where we are at this point in time, especially if you’re working with GDPR and global privacy compliance, it is extremely hard to continue doing manual exercises, especially if you have a very dynamic organisation.”
Touching on the ways that a solution enables companies to ensure staff turnover doesn’t lead to knowledge loss, she added:
“You need to have this [tech-led] overview that ultimately leads back to accountability. At any point in time, you should be able to know, show and present what your accountability looks like. And if you don’t, you already have a compliance gap there.”
Julie and Clara also discussed how software means reducing time spent discussing who owns what or debating issues of responsibility, with Julie concluding the talk by saying:
“There’s a lot of legal counsels and risk managers who are highly educated, that spend way too much time on project management – tedious, little things, instead of the actual valuations and assessments, and so on. So that’s definitely Complyon’s goal, to minimise that.
You can watch the full webinar with Clara here and if you’ve enjoyed our first episode, make sure to join us for our second with Bo Pyskow, CEO and Co-founder of Sixtus Compliance. You can signup and find more information about the webinar, which will discuss how to begin and sustain the data mapping process via our website.
You can also watch the Complyon demo that Julie and Clara discussed here. In just a few minutes, we demonstrate how to establish and manage roles and responsibilities using Complyon, illustrating three use cases in our system.