A conversation with Christopher Wright and Melanie Zemp, LarfargeHolcim

A conversation with Christopher Wright, Head of Compliance and Melanie Zemp, Compliance Operations Manager at LafargeHolcim

As part of ‘PwC 2019 Global Risk, Internal Audit and Compliance Survey’, we interviewed Christopher Wright, Head of Compliance and Melanie Zemp, Compliance Operations Manager at LafargeHolcim. In an interview with Birgit Gallus, expert in governance, risk and compliance at PwC, they talked about on how they use the factors of responsibility, risk and digitization to prepare their compliance program for the future.

How would you describe your organisation’s level of digital maturity, meaning the integration of digital technologies and capabilities into your operations, services, products or experiences?

The company has appointed a digital champion to examine digitalisation in key areas such as customer service. This comes with the backing and drive of the board. In addition, we have a compliance change programme in place focusing on accountability, risk and digitalisation.

What does being a smart risk-taker mean to you?

Risks must be taken in business, but they must be manageable and not destroy the business. The whole compliance story starts with risk.

To be a smart risk-taker, we need to focus on accountability (who owns this risk), the nature and degree of the risk, and how we deal with said risk – which today should include digitalised solutions. Accountability lies with the business leader. From a Group perspective, it’s the CEO. At the transactional level, it’s the country CEO. They make the decisions and are accountable for the risk. Risk structure is about building mitigations proportionate and appropriate to reducing the risk. Digitalisation points to smart ways to reach people.

The role of compliance is to work with the business to help it mitigate the risk. This is different to a classical model, where compliance acts more as a policeman saying ‘yes’ or ‘no’.

How is the LafargeHolcim compliance function changing as it becomes more digital?

It’s changing in three key ways: how accountability for the programme is understood, the way the programme is structured around risk, and digitalisation.

The board wants to ensure that the accountability picture is right. And we’ve made a lot of progress. For example, there’s a clear connection between country CEOs, their general counsels and accountability for compliance.

The compliance programme is structured around assessing risk and building mitigations to reduce those risks in each country. Some years ago, our programme was more conventional, in that it was defined through Group-wide policies and directives. That one-size-fits-all approach is a great starting point – to set a minimum standard. But in the long run, you have to shift your focus to the risks in each country and then structure your priorities around this.

How are you currently leveraging digital tools in compliance?

From a digital perspective, our attention is focused on implementing our compliance programme as much as possible through digital and data-enhanced means. Mobile technology applications greatly advance this objective. Whether it’s training, communications, attestations or reporting, all of these things can be facilitated by smart systems.

Digitalisation allows better leveraging of data, better reach and better employee accessibility. For example, if you need to know how many people have been trained in Algeria, this data can be retrieved more readily than in the past when we relied on the manual compilation of excel spreadsheets.

We’re a Google company. So by using Google single sign-on plus location, role and language, we can contextualise communications, training, and policies and directives that are relevant to individual employees.

Are you providing or planning to provide any new services to LafargeHolcim, to your colleagues, that you couldn’t have offered without digital capabilities?

We’ve launched a ‘Compliance Six Pack’ metrics set with six KPIs, presented as traffic lights (green, amber, red) – three owned by the compliance function and three shared with the assurance function. It emphasises accountability by naming the CEO and general counsel for the country six-pack. We monitor the compliance programme in all countries through these six compliance-related KPIs.

So if I’m asked, what’s the status of the LafargeHolcim compliance programmes? I will answer by reference to specific countries – rather than at a high-level on behalf of the Group.

It’s a powerful tool for local management which owns the compliance risks. CEOs can examine their traffic lights and identify the trends that have emerged over the last four quarters in their own country versus in others. So there’s complete transparency over performance.

What are the types of KPIs measured?

The Six Pack gives a picture of the compliance programme’s effectiveness. It covers three types of compliance metrics:

1. Activity: e.g. Have I completed my training?
2. Progress: e.g. Am I on plan?
3. Maturity: e.g. Do I have a reduced number of internal audit actions that are open?

We mostly track business performance against plans, and that’s how I want to track compliance.

How has focusing on risk enabled you to refine your KPIs?

A classic example involves training. If I’m a CEO or general manager of a country, I need to understand the key risks and how effectively people are trained in the control of those risks. In the past we provided one-size-fits-all training, e.g. about competition or sanctions, once or twice a year. Now we ask businesses to assess their employees against two criteria – from the perspective of the risk they present due to non-compliant behaviour (e.g. taking bribes, forming a cartel), or from the standpoint of their role in helping to mitigate the risks of business transactions. We target compliance training to the role performed by the employee. We call this role-relevant training.

How do you see the organisation at LafargeHolcim evolving to handle the changes and tackle the challenge of digital transformation?

The Ethics, Integrity and Risk Committee took a decision last year to break down silos across the assurance function and move to a single-risk management approach with a single cycle, a single risk universe, a single tool – as opposed to five tools. This also allows us to share the costs.

For compliance, we are looking for opportunities in digitalisation to better support our business in managing and mitigating risks. This will lead to the more extensive reliance on data and the introduction of innovative technologies to underpin delivery of the compliance programme.

What’s your ideal – or dream – for digital transformation?

Ideally CEOs will have the Six Pack and other data available on their mobile device, in as near real time as the system can deliver. Smart data analytics and communications will provide leading measures of risk. This is an aspiration, an area I’d to work on with the entire assurance team. In addition, the more extensive use of graphical depictions of data and trends will give managers early indications of problems ahead, enabling them to take corrective measures quickly and accurately.

What advice do you have about implementing change in a digital transformation process?

Data protection is implicit in everything we do in the compliance team. This becomes even more important with digitalisation.

A digital transformation programme needs to be realisable over a period of time. I’ve found in the past that if you try to force significant change, it doesn’t work. People resist and everything falls apart because there’s no traction for the change. So it needs to be managed as a change in the organisation, which will take time.

The other reason why it’s important to take your time is that we don’t yet know everything that’s required or what items will need adjustment, or what preparations you’ll have to make in response. We need to keep that in mind, otherwise we risk getting ahead of ourselves.