Compliance Trend Report by Voxius International B.V.

Managing Compliance Strategy, Organization & Operations in the Compliance & Ethics function

Trend Report 2023 Voxius Compliance Management Regien Haarbosch

1. The big reach: what areas are covered by compliance?

Table of contents • • • •

Managing compliance: Introduction Purpose Our survey participants Key findings

1. The big reach: what areas are covered by compliance?

3 4 5 7

4. Compliance ROI: What does good look like?

• What areas are covered by compliance?

• How do we measure good compliance?

• Importance of compliance issues

• Measuring compliance success

• Lack of sufficient guidance for new legislation to be able

2. Position in the organization: Where does compliance stand today?

• Where does compliance stand today?

• Reporting lines

3. Compliance Perspective: Aligned or diverging? • How does compliance relate to corporate interests and

19 20

goals? • Who eats who for breakfast?

• Ownership structure and compliance

• Approach and commitment

• Different perception between Compliance and the

business • How do you handle lack of support?

• Subjective topics of concern to the compliance officer

to measure

5. Organization: and now, how?

• Resources

• Collaboration with other disciplines

6. Topics of concern to the Compliance Officer • Operational topics of concern to the Compliance Officer

35 36

7. Compliance: moving forward

• What is compliance and why?

8. Methodology and participants

• Methodology and participants

• About us

• Participating companies

Introduction

The right partner

Personal interviews

The idea of this Compliance survey was born during a Voxius Compliance Round Table. Participants of these Round Tables – management level professionals with ultimate responsibility for Compliance within large multinationals – expressed their desire to get a better sense of each other’s challenges and goals within their respective organizations.

We did not set out to conduct quantitative research. The level of maturity of compliance in different industries and between locations and size of the organizations we spoke to is too diverse to draw meaningful conclusions from quantitative analysis. Rather, we focused on personal interviews with the participants and addressed qualitative questions. This not only gave us information on the current topics but also placed those in the context of the corporate culture of the individual companies. This Trend Report presents the outcome of all surveys and interviews.

As a strategic compliance partner to the participating organizations and expert in the Compliance domain, Voxius was the right partner to accommodate this desire and initiated a broad Compliance Survey.

58 surveys Based on confidential one-on-one conversations with 58 non-financial Compliance Professionals, we identified trends and highlights in Compliance topics that are relevant now and linked them to achievable goals. The questions of the survey focus on the topics that are of importance to most organizations.

Managing compliance: Introduction

On behalf of

interviews with non-financial compliance professionals

Voxius Compliance Management Regien Haarbosch Amsterdam, September 2022 - May 2023 With the cooperation of: Els Boonacker and Hielke Bruin

‘Compliance Managers within large multinationals expressed their desire to get a better sense of each other’s challenges and goals.’

Purpose

The state of Compliance If there’s one constant within the compliance industry, it is this: the state of compliance and integrity is ever-changing. Readers of this report understand that the world of compliance is complex and dynamic, and that a great deal has changed in recent years. This is the result of increasing legislation, as well as pressure from governments and investors, but also follows from increasing social awareness. The scope of the Compliance-domain has steadily expanded, and topics like sustainability, privacy and sanctions now typically fall within the scope of responsibilities. Organizations need to operate in a socially responsible manner and leadership is becoming aware that integrity and compliance is essential to their success.

Managing compliance: Introduction

Purpose of this Report and Compliance Round Table With this trend report, we give insight into the current Compliance needs within non-financial organizations, and thereby create visibility around the status and ambitions for the coming years, to make these more manageable. The results of the discussions held under the auspices of Regien Haarbosch are part of the Compliance Round Tables. Participating Compliance professionals have been sharing their lessons learned in these discussions since 2015 on 3 basic questions: • What are everyone’s experiences? • What works? • What needs more attention?

Role of Voxius Compliance Management The result we consistently strive for is to enable organizations to get the best out of themselves, and to play an important role in society. This fits perfectly with Voxius’ mission and vision to always contribute to the success of our clients, while empowering people and organizational company processes. To stay with this mission, Voxius Compliance Management closely monitors the developments within Legal and Compliance domains to provide our clients with optimal insight. Since 1997, we’ve advised and supported large companies in the field of executive search, strategy & operations and interim management. As we have been monitoring the changing role of Compliance within organizations since 2008, we are very well equipped to support our clients with the translation of their strategy and goals to teams and people within that domain as well.

Our survey participants Participant industries

Participating organizations This report is based on completed surveys from 58 companies, 44 of which have an annual turnover exceeding EUR 1 billion. Almost half of the participating organizations have an annual turnover of more than EUR 5 billion (based on 2021 figures).

Participants per turnover (2021)

(organizations can be included in more than one industry)

Profile of participating Compliance Managers We spoke with managers with ultimate responsibility for non-financial compliance in their companies. In most cases this responsibility is global, but in some cases, this is only for the region managed from the Netherlands.

Family-owned

Listed companies 9 26

participants

Regulated industries

Managing compliance: Introduction

Our survey participants

continued

Participating companies per country

Netherlands 38 UK 6 Rest of Europe 7

USA 6 Other 5

Number of compliance professionals per company < 5 compliance professionals

5-10 compliance professionals > 10 compliance professionals

Managing compliance: Introduction

Number of employees per participating company Siemens AG AG Siemens Medtronic Medtronic Shell Shell Heineken Heineken Thales Thales Coca-Cola Europaci Partners c Partners Coca-Cola Europaciﬁc Defensie Defensie KLM KLM ASML ASML Sabic Sabic Philips Philips Anonymous (medical devices Anonymous (medical devices company) company) Aegon Aegon Uber Uber Primeale United (voorheen van Primeale United (previously Van Oers) Oers) DSM DSM SHV Energy SHV Energy Eastman Chemical Eastman Chemical BME Group BME Group Pon Pon Nutreco Nutreco Boskalis Boskalis Aldi Aldi Veon Veon KPN KPN Vision TPTPVision Fugro Fugro Yusen Logistics Yusen Logistics Heus DeDeHeus DAF DAF VanderLande VanderLande Mammoet Mammoet Leaseplan Leaseplan Strukton Strukton Tennet Tennet Prorail Prorail Sligro Sligro Vermaat VermaatGroep Groep SBM SBM TomTom TomTom Royal Peterson Union Group Royal Peterson Union Group IHC IHC AMG Advanced Metallurgical Group AMG Advanced Metallurgical Group Ossür Ossür Holland Casino Holland Casino VanVan Leeuwen Leeuwen AKZO AKZO Reesink Reesink PhilipsPhilips Domestic Appliances Domestic Appliances Centrient Pharmaceuticals Centrient Pharmaceuticals Schiphol SchipholGroep Groep LelyLely industries industries Mendix (Siemens) Mendix (Siemens) VARO Energy VARO Energy Caldic Caldic Nedap Nedap Dorc Dorc Haven Amsterdam Haven Amsterdam

350.000 100.000

95.000 83.000 82.000 64.000 62.000 47.000 32.000 32.000 32.000 32.000 28.000 24.000 23.000 21.000 21.000 16.300 14.500 14.000 13.000 12.000 11.700 10.000 10.000 10.000 10.000 9.000 8.500 8.000 8.000 7.500 7.000 6.600 6.600 6.000 5.000 5.000 4.500 4.000 4.000 4.000 3.500 3.000 3.000 3.000 2.600 2.500 2.500 2.500 2.200 2.000 1.750 1.500 1.500 900 800 700 350 0

20000

40000

60000

80000

100000

Key findings See the diagram on p.14 here

Code of Conduct and Integrity

Informed about business plans

The Code of Conduct and Integrity are the most frequently mentioned priorities of Compliance Departments.

29% of the respondents receive the business plans of the internal customers proactively and timely. 55% is informed at a later stage, when the business plans are ready or when they request these from the internal customers. The rest is not informed at all (12%) or are informed indirectly by HQ (4%).

ESG ESG is still at early stages, with only 3% of the participants mentioning it as one of the top 2 priorities for their companies. However, the interviews indicate that awareness for ESG is growing rapidly.

Compliance incidents 71% of the participating organizations have experienced compliance incidents. Only half of those organizations responded by providing new compliance requirements and/or additional training.

Managing compliance: Introduction

Reporting Most typically, the compliance function reports to the legal department (38%). An independent compliance function reporting directly to the CEO (23%) or CFO (30%) is the next common.

Intrinsic motivation From the perspective of the compliance officers interviewed, less than a quarter (21%) of the organizations is intrinsically motivated for compliance. This contrasts with more than a third (33%) of the surveyed compliance officers, who state that they are intrinsically motivated.

Key findings See the diagram on p.14 here

Reputational damage

Risk-based approach compliance

(Reputational) damage is the most important deciding factor mentioned by leadership of companies on which they base their compliance decisions (32%).

Compliance is still mostly framed from a risk perspective. More than half (56%) of the surveyed organizations have a risk-based approach towards compliance.

Measuring effectiveness

Budget satisfaction

Top of minds of compliance officers is the ability to measure the effectiveness of their program: 35% of the respondents indicated in an open question that they want to improve in this area.

Most respondents are satisfied (69%) with the available budget for their department. Others feel their budget is too limited (17%) or have no budget at all (14%). However, the budget is hardly ever allocated in advance but is usually provided situationally instead.

Alignment with leadership When making compliance decisions, 49% van de participants have the same opinion as leadership and 33% partly agree with leadership. This means that 16% is not aligned with the leadership of their organizations on compliance decisions.

Managing compliance: Introduction

Expanding scope The scope of compliance continues to expand: topics like ESG, third party screening, sustainability, human rights are becoming the (shared) responsibility of compliance officers.

The big reach What areas are covered by Compliance?

1. The big reach: what areas are covered by compliance?

What areas are covered by compliance?

Broadening the scope

Growing themes

Compliance priorities

We know that compliance is a broad term, that refers to fully conforming to rules, laws, policies, and regulations. From that perspective, a broad range of topics have been gradually added to the scope. However, in using compliance as a definition of a business area, it has also come to encompass other topics that are not, (only) based in strict compliance to rules and regulations. See also the next pages 1112.

The specific compliance requirements that an organization must meet will depend on various factors, such as its industry, location, and the nature of its operations. However, there are several issues that overlap and are important to virtually every business. With a growing number of claims due to noncompliance and an increase in laws and regulations, more and more topics are being brought together under the compliance umbrella. However, most compliance managers regrettably notice that the occurrence of ‘issues’ does not necessarily bring behavioral change in that regard.

1. The big reach: what areas are covered by compliance?

What areas are covered by compliance?

continued

New themes In recent years themes have emerged that now dominate the agenda: • ESG • Human rights • Issue management • Trade Sanctions

ESG is quickly becoming a leading theme ESG (Environmental, Social, and Governance) has moved rapidly onto board agendas. Some of the participants mention that investors are aiming for a high score on ESG criteria in order to position the company better for long term success. Others mention that their companies were already motivated for this topic and developed a Corporate Social Responsibility (CSR) in the past. Their focus is now developing towards ESG. Many participants indicated that they think along with this topic but it seems challenging for the

1. The big reach: what areas are covered by compliance?

compliance functions to define their role in the overall ESG agenda. There is no comprehensive international standard, framework or legislation to base their role on (yet).

Human Rights

Although this is typically a Human Resources domain, Sustainability and Compliance departments are increasingly getting involved (also, graphic importance of compliance issues). A few participants mention that the topic is a regular on the boards’ agenda.

The S of ESG stands for Social, a very broad category. It covers a multitude of topics: including human rights, modern slavery, corporate security, inclusion & diversity, employee relations, supply chain sustainability, consumer relations and personal data protection. The European Commission obliges its member states to start implementing legislation in line with OECD standards, in order to combat human rights abuses and environmental damage in the value chain of multinationals. In the Netherlands, the rules for mandatory human rights due diligence are currently in the process of adoption. Companies will soon be required to integrate human rights due diligence throughout their entire supply chain.

The participants indicate that organizations still struggle where best to house ESG. Currently, only a few companies have a dedicated ESG officer. Most companies feel it is a joint effort of multiple disciplines, with Compliance usually getting involved with the S (human rights, diversity and inclusion, community engagement, consumer protection etc.) and the G (shareholder rights, and transparency, accountability in decision-making etc.).

What areas are covered by compliance?

continued

“There are two kinds of compliance: compliance because we do business or compliance because of the business we do.” The latter refers to product compliance with different standards, like medication or medical devices.

Incident management Has your company experienced compliance incident(s)? Did the incident lead to new compliance requirements? Did your organization set up crisis management trainings? 71% of the participants answered this question with ‘yes’; the others didn’t experience any impactful incidents. It is remarkable that only half of the companies who experienced incidents, actually improved their programs based on the lessons learned.

1. The big reach: what areas are covered by compliance?

This means that the other half - nearly 35% of all interviewed organizations - did not scale up or provide additional training to prevent misconduct in the future.

(Trade) Sanctions: to which degree? Governments can impose economic and political sanctions on other countries, entities or individuals as a form of punishment or deterrence for various reasons, such as human rights violations, terrorism, nuclear proliferation, and trade disputes. Since the war in the Ukraine, Russia has been on the sanctions list of the EU, inter alia restricting trade. Due to the lack of clear government regulations, companies are sometimes unsure of how sanctions need to be applied, enforced, and monitored. The survey shows that companies interpret sanctions legislation differently. Under sanctions legislation, for example, trade in goods providing basic necessities of life may continue.

Compliance officers wrestle with interpreting this correctly: what are primary necessities of life? Do these include medical devices and telecom? What are we prepared to do or not do as a company? What impact do sanctions have on the local population? The interviews don’t provide the ultimate answer to these questions but do show that the answer to these questions vary from company to company.

What areas are covered by compliance?

continued

Third party screening expands Today, banks and investment firms have strict requirements for customer onboarding in order to prevent money laundering and terrorist financing (KYC). Once the relationship is established, the business with third-party vendors, suppliers, or other business partners needs to be assessed (Third Party Due Diligence). Following the EU Corporate Sustainability Due Diligence Directive, states are required to transpose the directive into national law. This means that certain companies will be obliged to screen their entire supply chain to ascertain that they meet human rights and environmental standards.

Important: yes, but is it feasible? The interviews reveal that the initiative law

√ Are there tools available where each

on Third-party Due Diligence raises many

link in the chain gives input on its own

questions. The Compliance Officers expressed

contribution? This would speed up the

these concerns and questions:

process where each link bears its own responsibility.

√ How far should you go back in the chain?

√ Will this also lead to tightening of the KYC

√ How thorough should the screening be?

requirements by banks and investors in

√ Is it sufficient to screen only the largest

the future?

entity or holding company? A customer

√ What if the screening reveals a red flag? Do

may have hundreds of entities

you investigate further and if so, how?

√ The new regulations seem time-

√ Which steps do you take once you have

consuming, costly, and burdensome for many organizations. Is it possible to screen suppliers more effectively?

identified a PEP? Who signs off? √ Not all countries are introducing similar legislation at the same time. Will this create a competitive (dis)advantage?

1. The big reach: what areas are covered by compliance?

Importance of compliance issues to organization under responsibility of Compliance Department

Compliance priorities The participants were asked to list the most essential topics for their organizations. The Code of Conduct and Integrity/business conduct/ ethics are by far the most frequently cited priorities regardless of industry or degree of regulation. The data collected also accounts for the fact that some participans marked multiple topics as essential.

Conduct / Code of Conduct

Governance

Whistleblower policy / Speak-up

KYC / Third party contracting

Risk Management / CFO topics

Supervisory Board / Advice

Executive Board Support / Advice

Fraud

Relations with external supervisors

37 Integrity, business conduct, ethics

33 Export control / Trade sanctions

32 Anti-bribery & Corruption / ABC

ESG / Corporate Social Responsibility

Inclusion & Diversity

Human Rights / Child Labour

M&A / Post-Merger due diligence

17 Antitrust / competition law

31 Data Protection / Privacy

12 Internal investigations

1. The big reach: what areas are covered by compliance?

Insider trading Listed companies

Tenders/ Supply chain

Insider threat / Company Data Confidentiality

8 Crisis / Continuity Management

AML

Product Compliance

Position in the organization Where does compliance stand today?

2. Position in the organization: Where does compliance stand today?

Where does compliance stand today? “How well informed is the compliance department about the business plans and the compliance needs of the internal customers?“

Integration of GRC

Integration into the business

Most participants are in favor of a more integrated approach between Governance, Risk Management and Compliance. These three critical areas of business are inextricably linked and therefore need to be handled in unison.

Better alignment/integration into the business is often cited as a key success factor and priority. The survey shows that compliance is not always fully, or timely, aware of the objectives of other departments. Operation largely takes place in silos, and the link to departments such as Sales, HR and Security could be improved.

An integrated compliance program helps to understand how all the processes are impacting each other within the organization. To be able to assess this, the following questions can be helpful: • How does your third-party screening process impact your overall risk assessment? • Which risk factors do your processes have in common? Is it possible that changes in one process (compliance) will affect the other (risk)? • Is it fair to say that your program assessment is accurate if you are not evaluating your compliance program holistically?

fully informed once those plans are ready

14 18

not informed about those plans

17 (participants)

Some respondents struggle with the best way to design the working relationship with Audit and Legal, as both departments may cover related or overlapping topics.

informed about those plans when they ask for it

timely and fully involved in the formulation of those business (unit) plans

Indirectly informed by HQ

29% of the respondents receive the business plans of the internal customers proactively and timely

55% are informed at a later stage, when the business plans are finalized or when respondents request these internally The rest of our respondents is not informed at all (12%) or are informed indirectly by HQ (4%)

2. Position in the organization: Where does compliance stand today?

Reporting lines

Who does compliance report to? Most respondents indicated that their compliance function reports within the legal department to the General Counsel or Chief Legal Officer. An independent compliance function reporting directly to the CEO or CFO is the next most common. It is striking that only a few participants (also) have a reporting line to the Supervisory Board or the Board of Commisioners. Moreover, for those who do have this opportunity of an open line of communication with the Supervisory Board, it is not always clear what they should report. Merely incidents? Or should they present other sensitive topics as well?

Majority reports within legal department Within the legal department

It is a separate function reporting to the CFO*

It is a separate function reporting to the CEO*

It is an independent function reporting to the Supervisory Board

Within the internal audit or risk department Other

* Two respondents report to both the CEO and the CFO (functioning as the Executive Board)

The Compliance Officer with ultimate responsibility over the full scope of compliance is situated in different places in the organization.

2. Position in the organization: Where does compliance stand today?

Reporting lines continued

Independence of compliance function? Should the compliance function have an independent role within an organization? Having an independent compliance position can help ensure that compliance issues are identified and addressed effectively. This follows from the reasoning that an independent compliance function is ‘free’ to act as a check and balance to other parts of the organization and, thus, able to raise concerns or make recommendations without fear of repercussions. It is important to determine that, if an independent compliance function is more effective, what it is that makes the function truly independent within specific organizations: Reporting lines? A stand-alone team? Dismissal protection? Their own budget?

2. Position in the organization: Where does compliance stand today?

Participants have different views on (the desired degree of) independence for their role. Neither is there unanimity on the most desirable reporting line. To Legal, CFO, CEO, the supervisory board? Participants confirm that having an independent compliance role or team solely focusing on compliance, sends a clear message to employees that compliance is taken seriously and that the organization values ethical behavior. Only a few participants to this survey are protected by a charter and benefit from dismissal protection. In this regard, not everyone agrees that an independent (and as such somewhat protected) position is necessary to be successful in their job/position. However, everyone is unanimous in the opinion that compliance must be given a mandate and sufficient resources in order to perform the function independently and successfully.

Participants are unanimous in the opinion that compliance must be given a mandate and sufficient resources in order to perform the function independently and successfully.

Compliance perspective Aligned or diverging?

3. Compliance Perspective: Aligned or diverging?

How does compliance relate to corporate interests and goals? The majority of the participating compliance officers confirm that their organizations have moved from reactive to (more) proactive on compliance topics. An indication of this is that many organizations invest in integrity awareness training, with the intention to influence conduct and risk assessments.

Drivers and incentives From the answers to this question, it can be deduced that companies are still mostly guided by external factors when structuring their compliance program.

Compliance ‘feeling’: consistency in behavior Management needs to make sure that the strategy of the company and the compliance efforts are aligned. Compliance professionals expect (and need!) that senior managers have their back and that they not only talk about acting with integrity and responsibly, but also show it: ‘walk the talk’. Often there is still a gap between companies’ intentions to better manage corporate integrity and the actual performance: the say-do gap.

Participating compliance officers indicated that the importance of a good compliance program was increasingly recognized in recent years. The driving force shifts from: Externally motivated: prudentially defensive compliance with laws & regulations (avoiding fines and reputational damage); To:

Management mainly wants to avoid reputational damage, reduce the risk of getting caught, avoid fines and other penalties.

Internally motivated: intrinsically wanting to contribute to a better world for internal and external stakeholders or at least reduce and eventually eliminate environmental and social damage.

About 21% of the corporate leadership is intrinsically motivated for compliance. Compliance officers are more personally engaged: 32% of them don’t see any other way to do their job other than with a strong internal motivation.

Companies are becoming aware that it pays off to present themselves as an attractive market participant:

See a breakdown of incentives of compliance officers and management on page 21.

3. Compliance Perspective: Aligned or diverging?

The driving force shifts

“Compliance gives us a competitive edge.”

How does compliance relate to corporate interests and goals?

continued

An increasing number of customers want to engage only with companies where compliance is taken seriously. Indeed, the lack of a credible program can mean being shut out (in tenders, for example). In addition, young staff prefers to engage with an organization that values ethical behavior. Survey participants were asked about the considerations underlying compliance decisions. The outcomes are presented in the graph on the right.

3. Compliance Perspective: Aligned or diverging?

“How important are the following elements when you make compliance decisions?” 1= most important / 7 = least important 2 answers per participant

“For you”

“For the company (management)”

Other potential damage to business if we fail to comply with our compliance (continued damage)

We are intrinsically motivated for ethical and compliant business operations

The amount of the fine we will receive if compliance is not sufficient (fine)

The potential revenue we miss if we are strictly compliant (lost revenue)

Risk of getting caught

The potential revenue we gain with a solid compliance program (compliance required by new customers)

The costs associated with a proper compliance program (cost doing business)

Who eats who for breakfast?

Compliance culture and corporate strategy The experience of participating compliance officers shows that a clear allocation of responsibility for the compliance department at management level has a positive influence on the ‘tone from the top’ and thus on the compliance culture. A solid compliance culture is built by leadership that sets an example and helps to understand the importance of corporate values.

Training and conduct Most participants provide training sessions to employees and leadership to help understand the importance of organizational ethical values. Creating a culture of compliance will lead to good behavior and, consequently, better decision making. In addition, most organizations promote a Speak-Up culture in order to raise sensitive, business dilemmas and potential violations of the Code of Conduct. Respondents report that a particular challenge they face is to effectively train employees in other countries. First of all, how do you get a good picture of legal requirements per country? Secondly, do the reports reflect reality or do people report too positively? Especially if the circumstances are clearly difficult (such as in embargoed countries), compliance officers indicate that additional information and training will often be necessary.

3. Compliance Perspective: Aligned or diverging?

“Rules tell us what we must do; values tell us what we should do.”

Ownership structure and compliance

The survey shows that compliance is still most often framed from a risk perspective. However, It also appears that it is gradually evolving; companies are now also looking for opportunities to create value (value or principle-based approach). Especially regarding ESG, organizations realize that more attention to these factors leads to value creation. The survey did not reveal a direct correlation between ownership structure and support for compliance. For family owned, listed and private equity companies alike, managing risks and protection of investments is essential. Private equity (PE) is increasingly attentive to ESG factors. This follows from a new focus on value creation, where compliance was originally the main driver.

3. Compliance Perspective: Aligned or diverging?

Approach and commitment

Compliance strategy

“Does the Compliance function have a mandate to do what is – or is deemed - necessary?”

yes

Commercial based

Principle / value-based

insufficient 2 6

Risk-based

37 Rules-based

“Has sufficient budget been allocated to fulfill the compliance position properly?” no yes 9

tight

31 18

3. Compliance Perspective: Aligned or diverging?

Different perception between Compliance and the business Most companies still have a strongly risk-based approach to compliance, the ‘business comes first’ mentality. However, it is slowly evolving into looking for opportunities to create value. With the expansion of compliance to new developing areas such as thirdparty screening and ESG, companies are recognizing the need to scale up. Especially ESG is becoming increasingly critical for all companies across all industries. The outcome of the graph on page 20 shows that for at least some companies, using compliance as a key area of competitive advantage is a priority, but it is still a small minority:

For 7% of the organizations: “The potential revenue we gain with a solid compliance program (new customers acquired through good compliance) is the most important or second most important consideration when making compliance decisions.” Companies with a mature program manage to retain customers but also new employees because of their

3. Compliance Perspective: Aligned or diverging?

positive approach towards compliance. Customers will be acquired through tenders but also because of 3rd party legislation and the desire of a growing group of customers who merely want to do business with companies they want to be associated with. Therefore, a solid program can actually provide new revenue but that is still reserved for the happy few.

Where the friction is most palpable The difference in opinion of the compliance officer versus leadership (graph on page 26) illustrates that compliance sometimes must work hard to get everyone on board. In practice, the responsibility for compliance is typically assigned to a specific individual or team within the organization, such as a Chief Compliance Officer or Compliance Department.

“Does the Compliance function have a mandate to do what is – or is deemed - necessary?” About 10% of the participants responds to this question with: ‘’No”. They struggle to fulfill their role in an effective manner.

yes 50

However, it should be a shared responsibility across the entire organization, from senior leadership to front-line employees. Also, if Compliance has insufficient mandate to do what is needed, then the friction becomes palpable.

insufficient 2 6

How do you handle lack of support?

“Keep driving the movement” When organizational goals don’t align with compliance drivers, it can be quite challenging to get everyone moving in the same direction. Where compliance is merely seen as a box-ticking exercise, it is crucial to build the awareness of consequences that can result from non-compliance within your workplace (fines, reputational damage, personal liability etc.). As one respondent clarifies:

‘As a compliance professional, you naturally have other considerations than management when making decisions. In the first place because, as a specialist, you have a better understanding of the compliance playing field. Secondly, in your role you are focused only on one discipline whereas management is responsible for the entire company. You will never be completely aligned; the main task is to ‘keep driving the movement’.

leadership of the company on the importance of compliance? The most important elements when making compliance decisions for leadership and compliance are:

Completely aligned: The same opinion on 6-7 of the elements.

See also p. 20.

“Compliance keeps the board out of trouble and out of jail.”

Somewhat aligned: The answers differ for 2-5 of the elements

A more positive approach is to show what the benefits of a solid compliance and integrity program are. Those who feel that they don’t have enough support, try to shift the compliance function from a hated ‘policeman approach’ into a true partnership. They help to understand the ‘why’, provide training and try to make it a shared responsibility.

Not aligned: Different priorities on 6-7 of the elements

However, the drivers behind decisions will typically never fully align, as one participant shares:

3. Compliance Perspective: Aligned or diverging?

How aligned are compliance officers with the

Subjective topics of concern to the compliance officer

Compliance professionals (should) ask themselves… √ Are senior leaders and managers at my organization voicing a commitment to compliance? Are they modeling ethical behavior, especially in the face of competing priorities? √ How do you demonstrate that the program actually contributes to the success of the company? √ Do boards possess sufficient context to interpret the compliance reports they receive? √ How do you describe the integrity culture (speak-up)? √ Should the compliance officer submit a statement of conduct upon his/her appointment (VOG)? √ You don’t know what you don’t know. Do you accept that? √ Under what circumstances would you quit your job? √ Is it essential that you are completely aligned with management when it comes to making compliance decisions?

3. Compliance Perspective: Aligned or diverging?

Compliance ROI What does good look like?

4. Compliance ROI: What does good look like?

How do we measure good compliance?

Maturity of compliance Compliance and ethics programs are maturing. Programs of companies operating in a regulated industry tend to be more mature because they are under the scrutiny of regulators. Regulators can conduct audits, impose fines and have several other methods available to make sure organizations comply, contributing greatly to awareness.

On the other hand, the interviews with compliance officers also show that while management may encourage a compliance culture, their support is absent in the face of competing interests and/or business objectives. Several participants mention that their companies claim to be intrinsically motivated, but the Compliance department lacks sufficient budget or mandate to fulfill their tasks efficiently. There is still a lot of work to be done.

How mature a program really is, also depends on the way incidents are managed, availability of resources, technology, reporting methods etc. Even without looking into these elements in detail, we can conclude that there is increased awareness across the organization of reputational, strategic and fraud risks (external motivation). Additionally, there is more attention for integrity and ‘doing good’ (internal motivation), as a respondent very explicitly stated: ‘Compliance is our license to operate’.

4. Compliance ROI: What does good look like?

‘Compliance is our license to operate’.

Measuring compliance succes Toolbox

‘What are the chances that I’m getting hit by lightning?’ The survey brings to light that many compliance leaders (35%) would like to find a way to measure the effectiveness of their program. In fact, it is often mentioned as a priority as it would help if they could show management the extent to which risks are managed and how the program is perceived in the organization. Management likes to be convinced before providing budget if they do not see a causal relationship.

‘What are the chances that I’m getting hit by lightning?’ or ‘How many more will I sell because of it?’, are some of the C-level comments mentioned by our participants.

Most compliance departments use software products to manage and maintain compliance with regulatory requirements, industry standards, and internal policies. The tools below are mentioned most by the participants.

ROI

‘Do you use (software) tools for optimizing compliance work processes?” ( 1=most used, 7=least used)’

‘What does good look like?’ ‘If you think compliance is expensive, try noncompliance!’ This is a well-known statement often used by compliance departments. The organization needs to invest if they want to build a solid compliance culture. Each year, the budget required will have to be reconsidered. It is hard to convince the board if you argue: ‘We didn’t have a single fine, so we avoided a lot of costs!’ It is impossible to prove something that did not happen. Luckily, there are aspects of compliance that can be measured: reduced risks, improved reputation, improved efficiency, increased funding etc. This can be measured in relation to the compliance or risk appetite of each individual organization.

1. Speak-up (whistleblowing) 2. 3rd party screening 3. Privacy 4. E-learning 5. Tailor made tools 6. KYC 7. Gifts & entertainment In this data driven world, one quickly thinks of metrics or certification (‘stamp of quality’) to measure the program. There are several methods to evaluate the effectiveness: risk assessments, employee training, incident management, audits performance metrics etc. But while these metrics provide some insight, they do have their limits. Data is very static and in organizations culture continually evolves (mergers, people move around etc.) and with that, the commitment of employees is ever changing. Moreover, feedback from customers, regulators and true ethical behavior etc. stay out of scope. Even for those who have enough budget to measure the effectiveness of the program, there will always be a blind spot.

4. Compliance ROI: What does good look like?

Lack of sufficient guidance for new legislation to be able to measure Sanction legislation Under the Sanctions Legislation, it is prohibited to do business with companies, organizations or individuals that are on the national, EU or UN sanctions list. Although lists are available stating to whom and what may not be supplied, some respondents indicate that they would like more guidance to determine what is and is not allowed.

It turns out that the law is not clear on many points, such as in respect of the reporting procedure. It becomes even more complicated if companies try to implement the law in other countries. Organizations are waiting for case law or more clarity from the legislator before they can be (fully) compliant.

Compliance officers are also asking themselves:

√ Are their companies devoting sufficient Speak-up policies On February 18th, 2023, the new Dutch Whistleblower Protection Act came into force. This law offers far-reaching protection to those reporting abuses. For most participants, whistleblowing is an important priority in their program, and they already have an internal Speak-Up procedure for employees in place. Respondents are, however, facing challenges in implementation and measuring the effectiveness of their procedures.

4. Compliance ROI: What does good look like?

attention to whistleblower and nonretaliation requirements?

√ How do you know if employees actually feel protected?

√ Is it a good sign if few reports are coming in or does it just mean that workers don’t feel safe enough to report?

√ And vice versa, do a lot of reports mean that the system is working, or does it just illustrate that there is a lot wrong?

Organization And now: how?

5. Organization: and now, how?

Resources

‘Pragmatism over preaching from moral high-ground’ This survey shows that compliance professionals rarely have their own budget for hiring staff, outside counsel, consultants or using resources like tooling or analytics. Reason for this may be that compliance tasks are often split across multiple departments: HR (privacy, D&I), ESG (Sustainability, Board), Risk Management (Finance), and Anti-trust (Legal). Most participants are in favor of an independent budget allocated to the Compliance function, so that they can hire dedicated team members and focus on mitigating risks.

About 17% has a limited budget or access to resources on an ad hoc basis, 14% has no budget at all. See the graph on page 24. The interviews also showed that respondents don’t always have enough insight on which amount of budget would be necessary and/or realistic. Should this depend on turnover, exposure to risks or is there perhaps a commonly used ratio? Most companies favor a pragmatic approach in this regard and do not want to be ‘preaching from moral highground’.

Has sufficient budget been allocated to fulfill the compliance position properly? Even though Compliance regularly does not have a dedicated budget, most (69%) participating compliance officers mention to be satisfied with the budget(s) they are given to support their role. The outcome of this question needs to be nuanced since the funding is hardly ever allocated in advance but is provided situationally instead.

5. Organization: and now, how?

Collaboration with other disciplines

The Compliance department is by no means always fully, or timely, aware of the objectives of other departments. Some participants specifically indicate that it is important to understand the various (sometimes conflicting) interests. Compliance must have good knowledge of the organization’s business needs, in order to prevent ‘check the box’-behavior. Because the commercial activities prevail, the business often does not experience, and therefore incorporate, the importance of compliance training and can succumb to cutting corners in their daily operations.

Collaboration with external experts

Design new scope: a look into the future?

To keep their substantive compliance knowledge up to date, compliance officers make use of these sources:

Thus far, the organizational capacity to support the increasingly broad (ethical) drivers behind Compliance are still quite limited and are also perceived as such by the Compliance function:

‘To be well informed about the developments in external compliance requirements from, for example, laws and regulations, the compliance department uses: • Law firms (e.g. masterclasses on jurisdictions) • Consultants (e.g. Big 4) • Publishers (e.g. compliance newsletters or other general sources) • Training organizations (e.g. participation in courses, seminars, etc) • Other sources, for example personal network’

5. Organization: and now, how?

Responsibility for the topics is dispersed across the organization: • Required budgets and resources, in both time and money, are limited, ad hoc and/or spread across the organizations • Consistency in approach is lacking and underlying processes, tooling and monitoring are still at a low level of maturity This means there is still work to be done, which may also require the creativity of new type of solutions such as developing tools for third party screening by parties themselves in the supply chain.

Topics of concern to the compliance officer

6. Topics of concern to the Compliance Officer

Operational topics of concern to the compliance officer “Should the Compliance Officer

“What is the most desirable

role be independent with

reporting line of compliance?

dismissal protection? Access

Legal, CFO, CEO, executive

C-level or Supervisory Board?”

board? Or reporting to CEO and functional line to CFO. Alongside the GC.”

“When do you start internal

“Is it best to have a central compliance role or to break it down by subject and place it with specialists in the organization? Distribute compliance as a sub-task across the organization? How can the decentralized approach be managed effectively?”

investigations? Should this be conducted by compliance or

“When is good good enough?”

another department/external? ”

“How do you meet all the KYC and AML reporting demands from banks?”

“How far can you go? What can you ask of employees? Eg

“How do you get a good picture

frequent presence in the office?”

of legal requirements per country?” “What can you ask of managers? When is it leadership and when

“How do you best connect with a

“When does seduce become

do we speak of undesirable

global team?”

deceive? (sales)”

behavior?”

6. Topics of concern to the Compliance Officer

Operational topics of concern to the compliance officer “What can you delegate to the

“How do you make sure that

“What do you do after a

business and what should be on

business, sales and leadership

screening has been performed?

the plate of compliance?”

are accountable?”

Who signs off and how do you mitigate the risks?”

“How does compliance relate to legal and audit?”

“How do you prevent that entities are merely reporting

“Should compliance screen

good news? How do you know “How do you demonstrate that the program works? How do you

employees? If so, how and

what the actual challenges are

when?”

in embargo countries?

measure soft controls? How do you measure an open culture? How do you extract information from the organization?”

“What do you report to the

“Should the size of the

Exco? Only incidents? On what

compliance department be

basis do you set priorities?”

related to the turnover of the company?”

“How do you map out which

“Do other companies use

budget is spent on legal versus

external data analysts or

compliance?”

behavioral experts?”

6. Topics of concern to the Compliance Officer

Compliance: Moving forward

6. Topics of concern to the Compliance Officer

What is compliance and why?

The interviews with 58 participating compliance managers and the outcome of the survey yielded interesting insights. We gathered and compared the views of compliance professionals from different angles. They also shared their thoughts on how compliance can have the most impact and be prepared for new developments. The following quotes were noted during the conversations with participants and illustrate what compliance is all about…

Compliance is about making connections, discussing dilemma’s and being a business partner. As the state of compliance is everchanging, compliance professionals need to keep driving the movement and make the organization (including management)

needs clarity in case of issues, can it or can’t it, but compliance is often about interpretation, so there is a lot of gray area. Models such as the seven elements of effective compliance (US Sentencing Guidelines) or the decision tree certified fraud examiners (ACFE) can support making good choices. Fortunately, it is now also clear in business that everything starts with behavior. The compliance department has a signaling function and consequently the task to influence positive behavior. Tailor-made procedures can be designed depending on the risk appetite. As soon as the policy is established and supported, the cycle starts again: protect, contemplate, guard.

understand that compliance belongs to them. At least in the beginning, compliance existed by the grace of problems, but the domain has expanded over the years. Yes, management still

7. Compliance: moving forward

Methodology and participants

6. Topics of concern to the Compliance Officer

Methodology and participants

Methodology

Participants

Editorial

The interviews were conducted in the second half of 2022 and the first quarter of 2023. The interviews were preceded by an extensive questionnaire, which, for reasons of confidentiality, was only discussed in a personal interview. The results are included anonymously in the various chapters of this trend report. Naturally, we are be happy to explain indepth interpretation of the results in our future personal contacts.

This trend report is based on interviews with 58 nonfinancial compliance professionals across multiple industries in the Netherlands. See the overview on page 42.

We notice that compliance leaders are looking for better ways to measure the effectiveness for their compliance program. There is a great opportunity here for compliance functions to request for, or better optimize their resources. Data driven reporting can lead to more effective risk management and increased business transparency. Moreover, a more modern approach appeals to young talent who can identify with it.

The participants represent mostly multinationals with an office in the Netherlands, 38 of which also have HQ in the Netherlands. The size of those companies varies between annual sales of under EUR 1 billion to well over EUR 350 billion, with employee numbers between 350 and 385.000.

Openness and sharing practices benefits the compliance domain to continuously develop itself. Therefore, we are grateful to all participants who shared their insights and knowledge. We will continue to share our observations with you by organizing Compliance Round Tables, surveys and projects. This way, we strive to help Compliance Leaders to make the best decisions possible. Compliance may be ever-changing but our mission to share insights continues. Regien Haarbosch – Amsterdam, June 2023

8. Methodology and participants

About us

Voxius Compliance Management Voxius Compliance Management has built a national reputation as a thought leader and is known as the go-to executive search and consulting firm for compliance talent in The Netherlands. We closely follow developments in the compliance domain in order to advise our clients optimally. Because we have built up in-depth industry knowledge, we can support our clients in translating their compliance strategy and objectives to teams and people. From design to delivery: from organizational design of the compliance function and project planning to delivery of permanent and temporary staff for compliance departments. Since 2015 we have organized Round Tables on various compliance themes. Compliance and legal professionals with (partial) responsibility for compliance find it valuable to externally test the policy of their company.

The setting of the Compliance Round Tables is a safe environment to discuss many, often precarious topics with other compliance professionals who face similar challenges. Please find additional info and topics on www.voxius.nl/ compliance. A closer look at the profile of the participating companies is described on the next page.

Connect with us:

regienhaarbosch haarbosch@voxius.nl www.voxius.nl/compliance This report was designed by © Aclara Legal Design

The author Regien Haarbosch is responsible for the Compliance Management branch of Voxius. With her in-depth industry knowledge, she supports clients in translating their compliance objectives into teams and people.

Participating companies

Name

Person

Job title

Aegon

Alexander MacLean

Global Head of Compliance

AKZO

Claudia Sijstermans

Head of Global Integrity & Compliance Operations

Aldi

Hugo Dankers

Manager Compliance

AMG Advanced Metallurgical Group

Ludo Mees

Chief Compliance Officer, General Counsel, Senior VP, Company Secretary

Anonymous (medical devices company)

Anonymous

Senior Compliance Officer

ASML

Andre Hermsen

Chief Compliance Officer

BME Group

Egge de Jong

Head Ethics & Complinace

Boskalis

Jan Haak

Head Business Legal

Caldic

Samera El Idrissi

General Counsel

Centrient Pharmaceuticals

Helene Millenaar

Global Risk & Compliance Director

Coca-Cola Europacific Partners

Maaike Burger

Director Ethics & Compliance

DAF

Remco Koster

Director Compliance

de Heus

Sanna Jordens

Group Manager Integrity & Compliance

Defensie

Rinske Fieten

Directeur Centrale Organisatie Integriteit

Dorc

Ruud Spohr

Director Legal & Compliance

DSM

Martine Dusseldorp/Cees Los

Senior Legal Counsel resp. General Counsel

Eastman Chemical

Matthijs Veenema

Global Business Conduct Director

Fugro

Annabelle Vos

General Counsel & Chief Compliance Officer

Haven Amsterdam

Wilko Tijssen Claasse

General Counsel

Heineken

Diane Zivkovic

Global Director Business Conduct

Holland Casino

Malinda Miener

Chief Compliance Officer

IHC

Claire de Schepper

Director Compliance

KLM

Friso Guit

Director Compliance & Business Ethics

KPN

Arnoud Rooijmans

Chief Compliance & Privacy Officer

Leaseplan

Ruth Post

Chief Compliance Officer

Lely industries

Caïus Ort

General Counsel

Mammoet

Caspar Montagne

General Counsel

Medtronic

Adriaan Buyserd

Senior Legal & Compliance Manager Benelux

Mendix

Edward Lich

Head of Compliance & data privacy & export control

Nedap

Dennis de Vries

General Counsel & Corporate Secretary

Nutreco

Wim Kokkedee

Global Ethics & Compliance director

Ossür

Maarten Westermann

Global Compliance & Integrity Director

Philips

Marc Knapen

Head of Legal Compliance, Markets, GBP program office & anti-trust

Philips Domestic Appliances

Leonie Starmans

Head of Legal, Corporate & Compliance

Pon

Johan de Vries

Chief Compliance & Ethics Officer

Primeale United (voorheen van Oers)

Marten Bezemer

Manager Legal Affairs

Prorail

Diederik Slijkerman

Corporate Compliance Officer, Hoofd Risk Management, Compliance, Integriteit, Privacy

Reesink

Eelco Rommens

Compliance & Ethics Manager

Royal Peterson Union Group

Karen d'Leon

General Counsel

Sabic

Bo van Zeeland

General Manager Chief Counsel Compliance

SBM

Kirsten Stein

Group Compliance & Corporate Legal Director

Schiphol Groep

Emma Keulen

Compliance officer

Shell

Miriam van Heyningen

Senior Legal Counsel

SHV Energy

Marieke Bax

Group Ethics & Compliance Officer

Siemens

Ferenc van Beek

Regional Compliance Officer

Sligro

Jurgen Leutscher

General Counsel

Strukton

Willem-Jan Wieland

Director Legal & Compliance

Tennet

Henriette Strating

Head of Compliance & Integrity

Thales

Marie-Cecile Stutvoet

Director Legal & Contracts, Chief Compliance Officer

TomTom

Cassandra Moons

Head of Compliance & DPO

TP Vision

Joris Wouters

General Counsel, Head CSR, DPO

Uber

Samantha Boel

Regional Compliance Director

Van Leeuwen

André Bouwer

Head of Compliance (en Eline van Haeren GC)

VanderLande

Carl Messemaeckers van de Graaff

General Counsel

VARO Energy

Mark Geurts

General Counsel

Veon

Guido Febus

Head of Ethics & Compliance

Vermaat Groep

Joyce Winnubst

Director/General Counsel

Yusen Logistics

Bram Beliën

Chief Legal & Chief Compliance Officer & DPO