Jakub Staskiewicz, Legal & Compliance Director, Company's Proxy, and DPO at Vision Express Polska, talks to CEE In-House Matters about his experience in revamping his company’s compliance system and lessons learned from the exercise.
CEEIHM: You and your team set up a new compliance structure in early 2019. What were the main driving forces behind the revamp?
Jakub: This is correct. We did introduce a completely new compliance system and structure in 2019, just before the COVID-19 epidemic exploded. I’m very lucky that we managed to do so as right now it would be more difficult to do it effectively.
Vision Express SP Poland is part of the Grand Vision family, a worldwide organization present for years in the optometric services and corrective glasses market. Grand Vision has a great central compliance structure but it also – properly – allows its companies to have local differences and understands that an effective compliance system must take into account specifics of the local market, local employees, and the local legal environment. So, if you are asking me what the main reason for the revamp we made was, I would say that it was lots of existing small local factors which together proved that if we would like to have a compliance system that not only looks good in theory and works perfectly in other countries but also works locally, effectively, we need to change it slightly to make it more tailored for our company alone.
CEEIHM: And what were the main elements of the new compliance system?
Jakub: Most updates resulted from the desire to answer our local needs and our company’s structure as well as local issues of our employees while, at the same time, keeping the main rules, spirit, and standards of Grand Vision’s compliance system.
We have focused more on anti-mobbing policies and rules preventing discrimination and sexual harassment than we did in the past. We embedded those rules more in our structure and made them more tangible for Polish employees. We also redeveloped the whistleblower rules in all kinds of cases – not only for discrimination and sexual harassment. First, we did this to ensure that our employees will feel safe reporting anything they might assess as illegal, or even just wrong, regardless of what it is. Second, we did it to manage the system better. Third, we aimed to adapt to local legislation – both current and potential future legal rules.
We also created new policies which are mostly instructions for employees on how they should act in case of any kind of inspection made by the local authorities or contact made by the police or other law enforcement. Such situations are very stressful for employees, and, in most circumstances, they are not prepared for them. We are trying to prepare them and provide very precise instructions as to what they can and can’t do and what their obligations and privileges are, how they should react to specific requests, and so on. This helps employees as responsibility is transferred away from themselves and their better judgment and to the procedure itself; of course, it also benefits the company as it ensures that mistakes will not be made – or, at least, by making them far less likely.
We also focused more on policies regarding new types of social communicators and media and how they relate to the company’s interest and image. Those are rules for using Facebook, Instagram, Linkedln, and other social media platforms in relation to the employment in our company and massages send to the world on behalf of our company or which could be related to our company. Those are powerful platforms and, while everyone should enjoy the full power of free speech and of free judgment, some rules still should be kept, such as basing any statements or judgments on facts and truth, not using offensive or discriminative language towards others – in particular against other employees – not speaking on behalf of the company without proper authorization or falsely claiming that you can speak on behalf of the company, not sharing publicly confidential information, and so on. This is of course only some of the changes we have made.
We also made all the rules on personal data security and all processes connected to personal data more strict.
So, as you can see – lots of changes.
CEEIHM: Where did you draw your inspiration from? Who did you consult in order to develop the new system?
Jakub: First, I got the inspiration from our group policies and Grand Vision experts as well as from our previous rules. You should never underestimate the work that someone else has already done, and it is not a shame to use it properly. Then, we turned our attention to the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union Law – at the time, it was still a draft, but it was already well-known. It should be the base for every compliance system, even if local legislation still hasn’t introduced it in your country. We also looked into our local legislation and new laws that are likely to arise in the coming months, or even years, to see the direction and patterns and address them. I also looked very carefully at best practices from the finance market and their compliance systems, as those are some of the best in my opinion, and I really encourage everyone who is trying to create the architecture of a compliance system in their organization to look to the financial market. I had the privilege of working on financial markets in an investment fund and brokerage house for about six years, so I gathered some personal experience and some materials to work with. Last but not least was the inspiration from employees. We asked them what was not working from their perspective and what could be better.
In the end, we also consulted with an external law firm – great specialists who helped us to put everything together and add lots of formal mechanisms, which is useful if, at the end of the day, you need to prove something to officials or court. It is very important not to fall into the trap of thinking that a compliance system is made only for internal purposes or to eventually meet the group’s expectations. It is not. It should also have a formal side and processes should be prepared in such a way that, should anything go wrong, you would be able to prove to the outside world that everything that needed to have happened. So, some registers, protocols, forms, and statements are necessary as well, I’m afraid – but I advise keeping restraint and flexibility in this regard.
CEEIHM: How did you go about disseminating the update throughout the organization? How did you train your non-legal colleagues on the new policies and overall system?
Jakub: We did it at a few levels. First, it was important to personally train – and not only train but also convince of the value of it – our Executive Team so they would “feel” those changes and understand them to their core. It is of the utmost importance that the Executive Management team not only understands and executes personally the new rules but that they also believe in and spread them throughout the organization by themselves and by setting a good example. Then, there was, of course, building a wider information campaign to reach all the employees, which went great thanks to my colleagues from the HR team. We created obligatory online pieces of training as well as summaries, one-page instructions, etc. All these kinds of material aids helped our employees know and understand the new rules and to give them the certainty that we are doing it for real, including as a clear statement that the company will definitely execute its own rules.
CEEIHM: What tools did you set up to help you implement the new rules/policies?
Jakub: As I mentioned before, it was mostly a mix of personal meetings, online trainings, and simplified materials sent both in paper physical form and by electronic means. We also created a special email through which employees can contact a person from compliance to ask questions and, of course, a separate special email for whistleblowing. We also spread the information that anyone can contact any person from the Legal & Compliance Department if something is not clear or something is not working out as well as it seemed it would when the idea was being developed. We ended up changing a few things in the new system using such bottom-up massages from employees, so that worked well.
CEEIHM: Now, almost two years later, how would you assess the new system's success – what are the main KPIs you're looking at?
Jakub: It is closer to a year and a half since the update was finished but yes, we already see the difference, even in COVID-19 times. Since you are asking about KPIs, I did not create precise success metrics. What I’m looking at is the number of cases of wrong or harmful behavior that have been identified and addressed, and the number of situations we have solved. This number is higher than the number of similar cases found and solved from the three previous years combined. This means that employees trust the system and have confidence that it will not be used against them. This is the biggest success. Other KPIs are also the number of employees which we were able to help or secure their rights, and the number of teams within which we were able to bring back good spirits and a positive atmosphere. I also see that our staff feels more secure and they really see that we are trying to help them – not only the company as an organization – and that they have constant support from the Legal & Compliance Department. We are seeing this during our day-to-day work but also in all kinds of internal satisfaction surveys. The key factor is also the fact that we have not had any penalty related to our compliance system since the implementation, and there are no signs that this will change in the near future.
Of course, there are also challenges. Not everyone is happy with the change, and of course, not everyone is fond of the “tons of new procedures” to learn, but benefits like the ones described above always come at some price.
CEEIHM: And are you pleased with the overall results so far?
Jakub: I would say that they are good enough. Still, there is much to do and some things could be done better or just differently, but all things considered, I think that my team and the whole company did a great job. Now, we are focusing more on the present COVID-19 crisis.
CEEIHM: If you could do it all over again, what would you do differently – from design to implementation?
Jakub: Probably, I would try to avoid a few procedures/policies which were introduced “just in case.” They only make the whole system more complicated and can give the impression that the compliance system is only important to have on paper and executing it in real life is not the priority – which is untrue. Based on this experience, in my opinion, you should implement only those procedures and policies which are required by law plus those which are really needed by employees and customers, and, of course, those which you are sure are necessary to secure the company’s best interest. And, most importantly, only set up those policies/procedures which you are sure that you will be able to manage, control, and execute properly. All those “nice to have,” or “it will look nice in our system,” or “maybe this statement could be used some time,” which most likely will stay purely on paper will only do more harm by turning attention away from really important parts.
The other lesson I learned, and immediately addressed during the implantation phase, is the standardization of processes in all areas of the compliance system. You don’t want to create completely different procedures for – for example – reporting breaches, investigation processes, registration, training, etc., as everyone, including members of the compliance team, would get lost in them. You should always try to have the procedural parts of different policies be as close as possible to each other or, if possible, to have one procedure for all policies with some exceptions if needed (this depends on the system, company, and legislature, of course).
Finally, next time, I will better assess the workload versus the company’s capabilities and my team’s time – I underestimated this element like a complete rookie.
CEEIHM: Is there a future update in the pipeline? If so, what will you focus on adding and why?
Jakub: Now, we are more focused on dealing with the COVID-19 crisis and all things connected to this situation, not excluding all processes which concern remote working and the challenges which will come along with it, as well as working in a new type of hygienically restricted environment. Changes in our compliance system can wait until this passes.
This article was published in issue 1.2 of CEE In-House Matters. The full edition is available here in pdf format, here in e-reader format, and here in electronic format.
