[00:00:00] Speaker A: Hi, everyone. Today we'll learn how telecommunications leader Verizon uses compliance risk assessments to advance its highly recognized ethics and compliance program. I'm your host, Bill Coffin, and this is the Ethicast.
Headquartered in New York City. Verizon is the world's second largest telecommunications company by revenue and and the largest wireless carrier in the United States with more than 114 million subscribers. To put that into perspective, if Verizon's US subscriber base was its own country, it would be the world's 12th largest by population, between Japan and the Philippines. But as a major telecommunications provider with a huge stake in data security and consumer privacy, Verizon's business places it in some very complicated and high stakes compliance territory. This makes risk assessment a crucial part of Verizon's larger ethics and compliance strategy. A strategy, by the way, which has yielded the company both world's most ethical companies honors, as well as a 2024-2026 compliance leader verification recognition. Joining us to talk about some of the compliance risk assessment practices that Verizon uses to drive its business integrity strategy is Verizon's Chief Compliance Officer, David Kass. David, welcome to the show.
[00:01:21] Speaker B: Hey, Bill, nice to be here.
[00:01:22] Speaker A: Can you talk about the risk assessment piece of your ethics and compliance program, namely who owns it? And how your team uses that as a way to drive executive engagement in ethics and compliance itself?
[00:01:33] Speaker B: Yeah, you bet. Well, let's start with who owns it. So at Verizon, we have a really strong partnership between compliance and erm and ERM is really a critical component of our compliance program.
The ERM team reports to our controller and dotted lines to me. And that partnership is really important because we wanted an ERM program that would let us take a look at a wide variety of risks and not just some subset of them. So what we end up with is a, is a risk assessment program. I'll talk about it. But that looks at a wide range of risks, including financial, regulatory, operational, legal, and we're really happy with that breadth.
I think for me, the key thing about risk assessment is that it's hard.
And so figuring out what works for people is difficult and sometimes takes some trial and error. But it's important because if you can get it right, what it really does is give life to the concept of the business owning compliance. And I think we all talk about how important it is for business leaders to own compliance. But. But it's really hard to own an amorphous concept. And the word compliance, I think is misused and abused a lot. And it's very broad. And so really, for us, what this whole process is about is about defining and making objective and measurable the things that we're expecting business leaders to own. So that's what we focus our risk assessment process on. And ultimately, at the end of it, what we want to see is a process that defines risk, that makes it measurable, and that lets business leaders know what they need to do and how they're doing. And if we've done those things, we've really empowered them to take ownership of risk, and we've. We've really created an effective risk assessment program.
[00:03:25] Speaker A: Now, I understand that you run an integrity survey that is at the heart of your compliance risk assessment. Can you talk about the survey and some of the ways that you've designed it to drive your program forward?
[00:03:34] Speaker B: Yeah. So we've been doing an integrity survey for several years, and I've been.
I've been a little surprised in how effective it is in driving executive engagement in ethics and compliance issues. And I think, just stepping back, business leaders are, almost all of them are very successful driven people. Right. That's why they're in those jobs that they're in. And they want to succeed at ethics and compliance just like they want to succeed at selling or building the network or information security or whatever else their day job is. But in order for them to succeed, they need to know what to do. They have a day job, they have something that's occupying 95% of their waking hours. And so they need some guidance. And what they see with respect to all of those other business activities are very measurable sets of data about what's working, what isn't working. There's accountability for when they're succeeding and when they're failing. And so really, for us, what the survey has been able to do is to create a framework like that for business leaders that talks about ethics and integrity in a language that they understand. And so it gives us granular data about employee sentiment on a wide range of issues focusing on integrity, but on speak up, culture, tone at the top, how employees are responding to the pressure that they're under. And especially once you start to see year over year data on how teams are doing, you start to really understand what compliance training, what outreach is working, what's resonating with people. And you're able to see the teams that are really getting traction and doing well. And that is always reflected on the survey. And you can also see the ones that maybe are a little distracted and they have organizational issues or that have other pressures on them that cause those survey scores to degrade. And ultimately whether a team is doing better or doing worse, putting that data in front of a leader, in front of a leader who's focused and driven, that gets that leader engaged. And then they really buy into all of the compliance efforts that are needed over the course of the year to address those issues. So we've been really happy with that.
[00:05:44] Speaker A: Can you talk about a way in which you gauge compliance risk on a specific process within your company as a way to broadly illustrate your approach to compliance risk in general?
[00:05:55] Speaker B: Yeah, so we, yeah, in addition to sort of the broad efforts that we talked about like the survey, we do assess risk in several different targeted ways. So I'll just give one example. We're going through a lot of transformation as a company and as we change well established processes, it's really important to assess the risks that come along with that. And so we have been thinking about risk assessment in several different ways. One is to do sort of a top down approach and make sure you're talking to the senior leaders who are leading those transformation efforts about their specific compliance risks, financial operational risks that might come about as a result of that transformation.
We are also doing though, a bottoms up review where we are surveying the specific teams that are being impacted by transformation and asking them in a really targeted way, and that word is important, in a targeted way about their risks. And so you know, you can, you can do a survey that says what keeps you up at night and there's no question I dislike more than that and it's not going to be effective. Right. Just asking you what's, what do your risks look like that that will not resonate with people, that will not get you actionable information. So what you have to do is come up with surveys that are really targeted to people. What is that? What is your transformation effort? What is your job? How is it changing? Is it a privacy risk, is it information security risk, Is it a financial risk? And ask them about those specific risks. And so that's, that's one of the ways that we're doing it as we go through transformation projects. But more broadly, we're also coming up with very similar bottoms up surveys that go out to mid level leaders at the company, again in a really targeted way that looks at their job function, asks about the likelihood and severity of the risks they face and the effectiveness of the controls that they're managing. So ultimately the goal is to get a lot of really granular data about projects, about specific business activities that again, Lets us measure it, lets us measure the effectiveness of the remedial steps that we're taking. And finally, that goal is empowering business leaders.
[00:08:05] Speaker A: Do you have any advice for other E and C professionals who would like to kind of replicate some of the success you're talking about, but from a expectations management perspective, in terms of a timeline, in terms of the kind of the lift involved to get a program to the stage where you've gotten yours?
[00:08:20] Speaker B: Yeah. So I think there have been a couple of key ingredients in making this successful. One is the partnership with erm. It's where I started at artisk discussion. I cannot overstate how important that is really working with risk professionals. It's such an important piece of solving this problem and I think sometimes lawyers, and most compliance people are lawyers, you approach it in a fairly rigid, lawyer oriented way and that is only going to get you halfway there. I think you really need to be working with non lawyer risk professionals as you go about this kind of program. And so I've been really lucky to have a great partnership with our CFO and our contributions who were really the motivating force behind setting up an ERM program and the ones who really said this has to be a partnership between compliance and finance. So that has been a key ingredient. It's also important from a talent perspective just to be able to get people who are good with data and good, have solid sort of financial and controls backgrounds. They are going to want to work in finance. And so that has been something that's really worked for us. The second piece, and again, I'm very grateful to work at a company like Verizon is a strong leadership that has had the patients to stick with this process because the dividends aren't. It isn't necessarily a quick fix. And you know, the first time you do a survey like this, the first time you start risk assessment activity, it raises questions. It's like, why are we doing this? What is the benefit? You have to be a little bit patient to start to see the benefits of this process. And I've been really fortunate to have leaders that I've worked for who've trusted the ethics and compliance team to run this process and who have been patient and now I think really see the benefits of it. But it does take a while to start to see some of those dividends.
[00:10:12] Speaker A: Well, David, thank you so much for joining us and for giving us a look at some of the best practices that are driving Verizon's ethics compliance program.
[00:10:19] Speaker B: Thank you. It's great to be here.
[00:10:21] Speaker A: To learn more about how Verizon promotes ethical business conduct within its organization, check out the Verizon ethics
[email protected] where you will find links to the company's codes of conduct, FAQs, and more. And while you're at verizon.com, also check out Verizon's impressive Corporate Social Responsibility page, which details the company's efforts on digital inclusion, human prosperity, and climate protection. To learn more about the Compliance Leader Verification Process, which offers a detailed assessment of your corporate ethics and compliance program structure and oversight, please visit ethisphere.com solutions. I'm Bill Coffin and this has been the Ethicast. For more episodes, please visit the Ethisphere YouTube
[email protected] ethisphere and if this is your first time enjoying the show, please make sure to like and subscribe on YouTube, Apple Podcasts, and Spotify. Thanks for joining us. And until next time, remember, strong ethics is good business.
