Featured image

Insights from Snap: How E&C programs are adapting to the evolving risk landscape

What you'll learn on this podcast episode

With escalating risks becoming more severe and frequent globally, Ethics and Compliance (E&C) initiatives are intensifying their focus on risk mitigation. LRN's 2024 Ethics & Compliance Program Effectiveness Report, drawing insights from over 1,400 E&C professionals worldwide, underscores this trend. Our research indicates that values-driven programs not only exhibit superior effectiveness but also demonstrate a robust correlation with diminished risks and improved business performance. Amidst this evolving risk landscape, how are E&C programs adapting? What are the prevailing strategies, and how do they manifest in everyday program operations? In this episode of the Principled Podcast, host Emily Miner discusses key findings from the North America edition of the 2024 Ethics & Compliance Program Effectiveness Report with Global Head of Integrity & Compliance Legal at Snap.

Get a copy of the North America edition of LRN's 2024 Ethics & Compliance Program Effectiveness Report.

Where to stream

Be sure to subscribe to the Principled Podcast wherever you get your podcasts.

Listen on Apple Pocasts Listen on Spotify Listen on Audible Listen on Google Podcasts_@2x Listen on TuneIn

Listen on Amazon Music Listen on iHeart Radio Listen on Podyssey Listen on Listen notes Listen on PlayerFM


Guest: Nicole Diaz

Episode Cover - Nicole Diaz - Season 11 Episode 5 Insights from Snap

Nicole Diaz is a Harvard Law School graduate and integrity-first compliance attorney with over a decade of experience in investigations and civil and criminal litigation.  Her passion is building open cultures that maximize positive social impact and minimize ethical blind spots. She currently serves as Snap Inc.'s Global Head of Integrity & Compliance Legal, where she oversees the company's Code of Conduct, leads risk management in key areas such as anti-bribery, conflicts of interest, and trade law, runs internal investigations, and works cross-functionally to embed ESG strategy into corporate governance.  Before working at Snap, Nicole worked at Skadden Arps and Willenken, and clerked for a US District Court.

Nicole has been a leader in legal diversity efforts throughout her career, most recently helping to found the Snap Legal Diversity group and the Los Angeles chapter of the pipeline program Law in Tech Diversity Collaborative.  She has also served as an Ambassador for the California Minority Council Program (CMCP) (2017-2020 Term), and Chair of the CMCP In-House Counsel Committee, and active alum of the Leadership Council on Legal Diversity (2016 Fellow).

Host: Emily Miner


Emily Miner is Vice President of Advisory Services at LRN and advises executive leadership teams on actively shaping and managing their ethical culture through deep quantitative and qualitative understanding and engagement. She emphasizes co-creative, bottom-up, and data-driven approaches to foster ethical behavior and inform program strategy. Emily has led engagements with organizations across various industries including healthcare, technology, manufacturing, energy, professional services, and education. She co-leads LRN’s flagship research on E&C program effectiveness and is a thought leader in organizational culture, leadership, and E&C program impact. Before LRN, Emily applied her behavioral science expertise in the environmental sustainability sector, working with non-profits and municipalities, facilitated earth science research in academia, and contributed to drafting and advancing international climate policy goals. She holds a Master of Public Administration in Environmental Science and Policy from Columbia University and graduated summa cum laude from the University of Florida with a degree in Anthropology.


Be sure to subscribe to the Principled Podcast wherever you get your podcasts.

Listen on Apple Pocasts Listen on Spotify Listen on Stitcher Listen on Audible Listen on Google Podcasts Listen on TuneIn

Listen on Amazon Music Listen on iHeart Radio Listen on Podyssey Listen on Listen notes Listen on PlayerFM


Principled Podcast transcription

Intro: Welcome to the Principled Podcast, brought to you by LRN. The Principled Podcast brings together the collective wisdom on ethics, business and compliance, transformative stories of leadership, and inspiring workplace culture. Listen in to discover valuable strategies from our community of business leaders and workplace change-makers.

Emily Miner: With escalating risks becoming more severe and frequent globally, ethics and compliance initiatives are intensifying their focus on risk mitigation. LRN's 2024 Ethics and Compliance program, Effectiveness Report, drawing insights from over 1400 E&C professionals worldwide underscores this trend. Amidst this evolving risk landscape, how are E&C programs adapting? What are the prevailing strategies and how do they manifest in everyday program operations? Our research highlights the effectiveness of values-driven programs. Not only do these programs exhibit superior effectiveness, they also demonstrate a robust correlation with diminished risks and improved business performance. Hi, and welcome to LRN's Principled Podcast. I'm your host, Emily Minor, vice president of Advisory Services at LRN. Today I'm joined by Nicole Diaz, Global Head of Integrity and Compliance Legal at Snap. Today we're going to discuss key findings from the North America edition of our 2024 Ethics and Compliance program, Effectiveness Report, and explore how these findings show up at Snap. We'll also go over different approaches to risk management and considerations for your own practice. Nicole, thanks for joining me again on the Principled Podcast.

Nicole Diaz: Great, thank you so much. Pleasure to be here.

Emily Miner: So let's start with a little bit of background. Can you tell our listeners who Snap is and your role within the organization?

Nicole Diaz: Yeah, so Snap is the maker of Snapchat, which if you have kids you might be a little too familiar with. And we are global public company operating in over 25 different countries. I've been at the company for about six years, actually started in litigation and doing some ethics and compliance and have switched over to ethics and compliance full-time for about the last four years.

Emily Miner: Yeah, my kids I think are a little too young for Snapchat at the moment, but I'm not too many years off. So there are many insights from the 2024 report far more than we could cover in this conversation. So let's start with one of the headlines. We found that by a 10 percentage point margin mitigating risk was the top area of focus for North American programs to improve last year. And indeed this was true across all countries that we surveyed. For me, at first blush, this seems obvious, the key purpose of an ethics and compliance program is to mitigate risk. And, of course, as we know, programs should be grounded in their risk profile as the DOJ makes clear. But what was really interesting is we've actually been asking this question for a few years now, and risk management has historically been lower down the list when we've asked this question.

So last year for example, programs were much more focused on training and communications in terms of their top priorities. But I think if we think about the last few years, we can draw a line between a number of factors. We've got increased regulatory action and requirements, we've got geopolitical events, we have the emergence of new technologies like generative AI. Of course, we never have a shortage of high profile compliance failures. So we can draw a line between these events and this increased focus on risk. And I'm wondering if you can share a little bit about how this theme plays out in your organization and whether that's how your thinking around risk management has evolved in the past years, maybe starting with the basics of how you think about risk assessment.

Nicole Diaz: Well, I've definitely seen that shift in the tech industry in the last few years where I think before there was an attitude towards ethics and compliance of just enough to say don't do bad things to people and maybe an over-reliance on policies or training. But I think increasingly companies are, in the tech industry in particular, realizing we have to do more and we have to think in advance about potential negative impacts and mitigate those upfront. But more broadly, I think that's just a sophisticated approach of any compliance program. Training and comms is really the tail of the dog. You want to start as our evaluation of corporate compliance program states within an effectively designed program. And in order to do that, you need to have a risk assessment in place. And risk assessment is really going to help you understand what are the risks that your business is facing across all compliance subject matter areas. How might that risk manifest for your business in particular?

So you take it from the general down to specifics and then what measures, what controls do you have in place to actually stop that behavior? Training and comms, again are really generally ineffective ways, I think, to mitigate risk. People take a training, they don't pay attention, they forget what they've learned. What you want to do is really get, again, sophisticated about thinking about the systems and controls and processes that your organization has and how to put in blockers, how to put in reminders, how to create workflows that incorporate risk into people's everyday business activities. And that's certainly the direction that we take here at Snap and where our efforts are focused. I think one interesting thing, and we'll probably touch upon this multiple times as we talk is this idea, I've talked to so many people about risk assessments and there's so many different ways to approach it, and people can mean a lot of different things when they say risk assessment.

I think some of them can be very narrowly focused on really just deeper dive, almost like an audit of the compliance program risk areas. But I think any compliance program should also consider doing a much more holistic risk assessment where you are developing a prioritization and understanding of all compliance risks, whether or not your team owns them or not. And I think that's going to give your organization the ability to really effectively mitigate risk because you're going to be looking at everything altogether and being able to spot those gaps and work effectively with cross-functional partners to mitigate those risks.

Emily Miner: When we were prepping for this conversation, I want to pick up on that last point that you just made. One of the things that we talked about was in this body of research that really covers a lot of ground, what's potentially missing. And that cross-functional collaboration is one point that you highlighted, which I think is well taken. And there's a lot of ways that a cross-functional collaboration can play into advancing an E&C programs, goals and impact from partnering with, effectively with HR, let's say around incorporating ethical conduct into performance management decisions, to partnering with them on investigations, to partnering with InfoSec. We could go down the list, but what you were just highlighting was that holistic approach to a risk assessment and including the areas that your function maybe doesn't control. But if you are to really carry out that overarching mandate of protecting the organization, mitigating risk and incentivizing ethical conduct, you're required to consider those risks. You can't just focus on anti-bribery and corruption or what have you. And so how have you approached that with other stakeholders within Snap in taking a more holistic view of your overall risk profile?

Nicole Diaz: All of our relationships as people often say, and one, I think building those relationships both formally and informally has been very helpful. At the start of those conversations, you might think, well, okay, I'm over here in my subject matter area, bribery, corruption, conflict of interest. They're over there in their subject matter area, HR, compliance, cybersecurity risk. What do we really have to talk about? And I think over time you discover you have quite a lot to talk about. There's many points of crossover, but you need some time to develop that understanding and develop that working relationship. One, a formal way that I've developed those relationships is the risk and compliance committee. And we've tried different ways, and I've heard of different models of setting that committee up. What I've found to be very effective is getting composing it of risk owners, second-line risk owners. So people who are senior but still in the weeds in terms of understanding their risk areas, the controls and programs that they have in place.

So we have people from privacy, from tax, from HR compliance, from security all across the company and who come together and share updates on insights from our various programs and also spot issues in our operations, in our processes that do cut across those cross-functional lines. And so I think that committee has been really instrumental to getting all of us to think about compliance risk, I think in the way that the DOJ sees it. The DOJ, their evaluation of effective compliance programs, they don't talk about programs plural. They say, what is your company's compliance program like? And I've had discussions with former members of the DOJ who have said that is not limited by subject matter area. They are really looking at the holistic fabric of a company's compliance efforts, and they expect those partners to be working together to develop a very strong unified approach to compliance risk.

So I think the risk and compliance committee is a great place to start those relationships in a formal way. Risk assessment that we're talking about then is a way for all of you to come together and develop a really clear understanding of the risks that you're managing together and the programs you all have in place. And then informally, being able to have conversations with those people. What are they seeing? What are they worried about? What do they think the company is doing well or not well? And understanding that you're all coming at this from a similar perspective.

Emily Miner: As you were just sharing about the compliance committee, I was thinking about the debate that's been playing out in the ethics and compliance space over the last few years around ESG oversight and where does that sit? And there's a camp that say it fits naturally within the ethics and compliance function, maybe not to be responsible for all of the parts, but to have that oversight. And then there's another camp that says, no way. My plate is too loaded as it is. That's for somebody else to do. And I'm not going to weigh in on one side or the other right now, but I was just thinking about this committee-based approach that you have. If we... Going back to what you highlighted around the DOJ, having that singular program, not programs, that's really what's required if an organization is going to have a handle on all the different types of compliance risks in an organization, it's too much for one individual or one function. Does that expertise all sit, of course, within one individual or one function? So I'm seeing a parallel there to this debate around ESG.

Nicole Diaz: ESG is actually part of compliance at Snap, so I don't think it has to sit there, but I certainly think that there's a lot of crossover and it's a good relationship to build amongst the others that I was discussing.

Emily Miner: So you've talked about your observations in how the risk assessment has evolved over time and a little bit about how you're thinking about that in Snap, but risk assessment is, of course, just one piece of the overall risk management puzzle. So what are some other, thinking about your risk management more broadly, either in the tech industry or at Snap, what are some other pieces of that puzzle that you find valuable to manage your risks?

Nicole Diaz: Other pieces I think are policy enforcement and investigations. So I think sometimes there can be a lot of teams at a company who are struggling to get people to comply with a policy. They may not be ready to jump to, okay, we're going to report you to compliance. But I think even at those early stages where they're trying to figure out their enforcement scheme, that can be a good place for you to come in, partner with those teams, and also to learn about where are the major areas of noncompliance in the company, and how do we increase compliance and what does it say that we're having trouble with that particular policy? And then investigations, if it does lead to investigation or there is a reported concern, is a great time to develop stronger relationships with those policy owners.

I will often alert policy owners and involve them if there is a reported issue because I view them as the owner of that area of risk. And so they should be looped into understanding the enforcement process. And then root cause analysis at the end of an investigation, once you're done and you've adjudicated the particular corrective action for that individual, there's still so many great insights and learning opportunities for the company, and I think that's an opportunity for compliance to work with those risk owners and to think about, okay, how can we, again, mitigate risk? How can we ensure that controls are set up to minimize this sort of behavior going forward?

Emily Miner: One of the questions that we asked in our research was around different sources of input of data and trying to rank order the helpfulness, the usefulness of a particular source of insight in terms of working to advance program effectiveness, program goals, et cetera. And root cause analysis rose up higher than straight, just hotline reports and trends. And that caused some discussion internally around what that meant, and I'm curious to get your reaction. But the way that I interpreted that was that hotline, and it was specific to hotline, that captures such a small sliver of what's going on in an organization. And, of course, it's a very important source of information, but it still does tend to capture a smaller sliver than a broader case management system would. And so the root cause analysis of those compliance failures or control failures or whatever the case may be, can be a more powerful tool to figure out what potentially needs to be fixed. But I don't know if you have thoughts on hotline reports versus root cause analysis and maybe how you view them or use them.

Nicole Diaz: Good for different things, I think. I think hotline reports can give you a sense of problem areas within the company, whether or not it's departments or policies that need more attention. But I think root cause analysis is where you look for systemic issues. You think, okay, we had this one report, but what conclusions do we draw from that? What patterns are we seeing and how do we fix those? So it's more of a proactive approach.

Emily Miner: So I want to switch gears a little bit, shift away from risk assessment, risk management, and talk about another key finding from our research, which was, I think it's fair to say really the widespread incorporation of values, of company values into the fabric of an ethics and compliance program. And we found that 82% of North American ethics and compliance professionals indicated that their organization emphasizes values as a key motivator of ethical behavior. And this is a really significant increase, 29 percentage points from when we first asked this type of question in 2016. So we're coming up on nearly 10 years of this type of data, the role of values, not just rules. I think you sort of alluded to this a little bit in the beginning when we were talking about training and communications, but I know that values are really central to your program at Snap, and your code of conduct, for example, is wrapped around one of your core values that of being kind. So I'm wondering if you can share your reaction to this finding.

Nicole Diaz: That makes total sense to me. I revised our code of conduct about three, four years ago based on that exact philosophy. There's a lot of behavioral psychology and science research out there showing that identity and values are actually the deepest part of what drives behavior. If you think of an iceberg, identity is the giant part of the iceberg under the water. And rules are what's sticking out above the water. And so the values also drive the rules, they drive how we interpret those rules, how we enforce them. And so tying your compliance and ethics program to identity, who are we, how do we behave, is much more effective at driving behavior than just giving people a bunch of rules to memorize.

It's also, I think, more flexible. If you have a rules-based system, you enter into a world where people might say, well, that's not written anywhere, or that's not, this is a new scenario. And so it's not captured by the rules because you didn't anticipate it. Whereas if you have a values-based system, people understand when they're presented with new situations, they should act in a way that reflects the values of the company and use good judgment. They understand that that's expected of them. So it's much more, ethics is a much more flexible system than a set of rules.

Emily Miner: Yeah, three cheers to that. That's definitely very much a central part of LRN and how our mission and how we approach our work with organizations. So it's been really interesting to track this over time as you've just talked about, seeing values as really central to your program. And I love the way that you framed it as tying your program to identity and to who we are as an organization. So are seeing values become more and more integrated into that why and that how of ethics and compliance programs. But our research, a dark spot in our research was this apparent whole when it comes to middle management, role modeling the same. So when asked 76% of our respondents said that they see executive and senior leadership making decisions consistent with values, with purpose, and they compared that to only 39% of middle management. That's a 37 percentage point difference, and it's the largest gap since we started collecting data on this in 2021.

And it's particularly alarming because middle managers as those with whom most employees are directly interacting, they're very visible role models. They cast an outsized shadow on the way things work around here, the culture of an organization. And of course, as the DOJ and their evaluation of corporate compliance programs, note middle managers play a key role in balancing business goals with ethical conduct. What is your reaction to this finding? Were you surprised by that? Is that reflective of what you understand to be true in the various organizations that you've worked in? And how are you trying to close that gap if there is one at Snap?

Nicole Diaz: The size of the gap was very surprising to me, of how stark your results were, because I think there, as you said, there's 75% felt that their senior leaders were able to effectively make decisions based on values and ethics, whereas the gap for middle managers was so much lower. And trying to explain that gap to myself, I thought maybe this is really that middle managers feel less empowered to take a principled stand, and they view those decisions as above their pay grade, and so they get escalated up the chain and it's not the worst system in the world, but I don't think it's an ideal system for a couple of reasons. One, maybe they don't escalate it. Maybe they just do the decision that will make their quota, that will hit their numbers that won't cause ripples or draw attention to them. And so they might be afraid to even raise the issue.

The second thing is you then end up with an organization where the senior leaders are being pinged all the time for decisions that presumably could be made at the middle manager level if managers were probably empowered and understood the risk tolerance of the organization and the ethical principles of the organization. And then third, I think you'd probably have better morale and stronger sense of belonging and commitment throughout your employee population if people understood, Hey, if I take a principled stand on this, I'm going to be backed by my manager or by my leader, and everyone here is an ethical leader and should be making those decisions on behalf of the company. I would love to close that gap. And I think it's probably an issue at all companies to see that number reduced and to really focus on those middle managers in the frontline defense as not just rule followers, but ethical leaders who can make those decisions.

Emily Miner: Yeah. And I think there's an element of that that comes back to the greater flexibility that you get with the values-based system as opposed to a rules-based system that you were just talking about, when everybody understands the values and what we mean, not just the values, like this is the word, but what does it actually mean to behave in a way that demonstrates those values where we're all better equipped to bring them into the decisions that we're making and the actions that we're taking on a daily basis. And also for that middle management group to feel more empowered to champion them, as you said. And this is something that I think about a lot, how to tap into that middle management cohort in an organization. We know there's a lot of research that I think pretty definitively shows that most people, when they have a concern, an ethics concern or a question, they're going to go to their manager.

They're far more likely to go to their manager than to call the hotline, for example. And so it really, I think, underscores how important it is that middle managers are supported, they understand they have the appropriate, the training, the resources, the authority, the support to respond appropriately in a way that is in alignment with organizational values, but also just to borrow one of Snap's values in a way that is kind, in a way that is validating and respectful to the employee raising the concern so that you create this virtuous feedback loop. And I think the Department of Justice also recognizes that the important role of middle managers in the 2023 update, there was more mention of middle management than in years prior. So it's something that I think we all know is really important. And that's good. It certainly is a space to watch and to share practices and what's been successful across organizations in engaging with those middle managers as ethics champions.

Nicole Diaz: Yeah, it'd be interesting in follow-up surveys that LRN might do to see if you can probe if people have an understanding of the reason for that gap. Why do they feel managers are not empowered to make ethical decisions at this moment?

Emily Miner: So Nicole, I want to close our conversation by looking ahead. It was really exciting for us, 2024 marks the 10th year that we've been publishing our Ethics and Compliance program Effectiveness Report. And so I'm wondering if you could think about the next 10 years of ethics and compliance or just the next year, and what developments do you hope to see ethics and compliance tackle in the next year or the next 10 years?

Nicole Diaz: Well, I think next year this is a doable goal. I would love to see the evaluation of corporate compliance programs updated to clearly define what they mean by a company's compliance program and have that definition encompass all subject matter areas, not just bribery and corruption. I think that's the current intent of the document, but it doesn't state that anywhere. And I think that really making it clear that the government's view is of a unified approach to compliance and the role of the CCO in helping to generate that alignment would be very helpful.

Emily Miner: Yeah, so going back to what we were talking about at the top with respect to overall risk assessment and risk management.

Nicole Diaz: And then the other thing looking further out, maybe 10 years down the road, is I would love to see compliance further embedded into organizational decision making and planning. So similar along the lines of what we just said, there's middle management, understanding how to make risk decisions, understanding a firmer grasp on their role and the ethical protections of a company, and in strategic planning and decision-making to continue to have compliance embedded into those decisions, I think is, again, focusing on risk mitigation from the get-go rather than training in comms after the fact.

Emily Miner: Well, thank you, Nicole. We're already thinking about the questions that we want to ask for the research that goes into next year's report, so I'll be taking these notes and then maybe we'll have another conversation in a year's time and we'll report on the progress that's been made in this particular area.

Nicole Diaz: Great. Well, I really very much appreciate the insights from this year's report, and thank you so much for having me today.

Emily Miner: Absolutely, Nicole. I always love our conversations. So to our listeners, thank you so much for tuning into the Principled Podcast by LRN, and we'll see you next time.

Outro: We hope you enjoyed this episode. The Principled Podcast is brought to you by LRN. At LRN, our mission is to inspire principled performance in global organizations by helping them foster winning ethical cultures rooted in sustainable values. Please visit us at lrn.com to learn more. And if you enjoyed this episode, subscribe to our podcast on Apple Podcasts, Stitcher, Google Podcasts, or wherever you listen. And don't forget to leave us a review.