Transcript: Ann Chaglassian podcast

The Chief Compliance Officer helps us think about managing conduct risk from all levels – with accountability and transparency being animating features of the process.

This is a transcript of the podast Ann Chaglassian discusses managing conduct risk in today’s workplace between Julie DiMauro, US content manager at GRIP and Ann Chaglassian, Chief Compliance Officer for the US and Canada at Marsh and Mercer.


Julie DiMauro: Greetings and welcome. I’m Julie DeMauro, US Content Manager for Global Relays Intelligence and Practice Group. GRIP offers an array of articles, reports and podcasts on a range of compliance and risk topics and can be found at

Hi, I am joined by Ann Chaglassian, Chief Compliance Officer at Marsh & Mercer, and I’m thrilled she’s joining us today to talk about managing conduct risk and embedding ethics in the workplace. Thank you so much, Ann. Ann can you please tell our listeners a little more about yourself and your background?

Ann Chaglassian: Hi, Julie. Thank you so much for having me. So I work for Marsh McLennan, which is an international global professional services firm headquartered in New York City.

I lead the compliance function for the US and Canada, two of Marsh McLennan’s operating companies for Marsh, which is a global leader in insurance, broking and risk management, and Mercer, which is a human resources consulting firm offering health, retirement, talent and investment consulting services. And I’m thrilled to be here today.

Julie DiMauro: Thank you so much, Ann. So before we jump in, I just wanted as a prefatory matter to talk about the difference between ethics and compliance and what we mean by ethics.

You know, when I look it up, it’s, you know, in the context of corporate governance, compliance means obeying the law. Ethics is more the intent to observe the spirit of the law, the expressed intent to do what is right, going beyond the law, what the law says and doing what is right when maybe even doing what is right when no one is looking, which is how a lot of my students have worded it. I’m an adjunct professor and I always ask them what they think, you know, conduct risk means and doing right in the workplace means.

And finally, I think we just kind of came to that very short, you know, it’s doing well when no one’s actually watching you. In the aftermath of unethical behavior, it can be very devastating for a company. So a program that strongly emphasizes both compliance and ethics is just good business. So that values-based approach to ethics and compliance, you know, we can say that it even gives a business an advantage in the marketplace.

And so just thinking about some examples of this, and I was wondering if you can walk us through it. I mean, I think about, you know, the employee that has just fallen for a phishing email and reports it in a very timely way, not only actually reports it, but maybe uses it as a training tool. You know, this is where I made a mistake and instructs her team about how to avoid the same mistakes in the future. That’s kind of, you know, taking the reporting one step further. I was wondering if you could weigh in on it.

Ann Chaglassian: Yeah, I think that’s a great, those are great definitions, Julie, I think that your students have come up with, right? Because when we think of compliance, we’re talking about, you know, something being defined by law or rule or regulation. And with ethics, you’re really talking about people using judgment, right? Good judgment or bad judgment? And how does that reflect on the values of both themselves personally and of the organization that they’re working for?

So you know, the phishing example is a great one. Did somebody, you know, fall for a phishing email and then take that extra step and determine that they needed to go make a report? Did somebody observe bad conduct while they were in a group setting? And when nobody else was speaking out, they raised their hand and said something’s wrong here, even if they were concerned about, you know, being, you know, treated negatively because of that type of behavior.

So I think it’s really important to make sure that you’re kind of distinguishing when you talk about ethics, the judgment component, because what we’re trying to foster in all of our employees is their ability to use good judgment and what that means from an organizational perspective.

Julie DiMauro: Absolutely. Terrific. And when you don’t know where to go to get that, you know, kind of added advice and instruction on, you know, what good judgment looks like for that workplace.

Ann Chaglassian: Absolutely. And we’ll talk about that a little bit, I think, later in this hour around training and the importance of making sure employees understand, you know, what it is that they need to do, because I think sometimes it’s not readily apparent. What’s the right decision here? What may be right to somebody may not be right to somebody else, or they might think there’s more of a gray area. And setting those expectations, I think, is really important for employees to understand.

Julie DiMauro: Terrific. Well, let’s start about managing conduct risk of businesses. Who needs to be included in this besides compliance? And what are the main tasks for each department?

Ann Chaglassian: So that’s a great question. I think this comes up a lot. But, you know, my personal perspective is that managing conduct risk is really a shared responsibility and it has to involve various stakeholders. So I think when people hear this term compliance, they naturally assume that you’re talking about a group that needs to police behavior, right?

And I hate hearing that because I certainly have never wanted to be the police in my role in compliance. And the reality is that everyone needs to take accountability from the board of directors to senior leadership to employees of all levels who are responsible for creating and maintaining that ethical culture. And we use this term setting the tone at the top a lot.

I think people in the compliance field hear that a lot. And it’s a term that’s used to define the leadership of the board and senior management in exhibiting their commitment to being honest and ethical. And I think that’s really important, right? It sets forth the company’s cultural environment and corporate values.

But I think it ultimately comes down to the fact that everyone needs to take accountability. And you can’t maintain that company culture if everyone’s not buying into it. So I think there are multiple components of compliant culture that really need to be followed by employees throughout the organization. But the fundamental point is that everyone at all levels has the responsibility to create and maintain that culture.

Julie DiMauro: Absolutely. And in thinking about those different levels, I want to think about and talk about the top executive level and the board. How do you get buy-in from them specifically, the C-Suite and the board, for tackling these ethical initiatives when they might seem nice to have items, maybe no dollar amount assigned to them necessarily?

Ann Chaglassian: Sure. And that’s another great question, Julie, because compliance is not a revenue generating group, typically. So sometimes people can overlook the importance of it. And I think emphasizing compliance is tied to the organization’s success is really critical to getting buy-in from the board and employees across the organization. So something that I’ve kind of done in my career is you have to present a clear ROI to illustrate cost savings through effective risk mitigation. And sometimes it’s hard to quantify, right?

How did I just avert a major disaster that saved the company millions of dollars? But emphasizing those potential risks and legal consequences of noncompliance can also be effective when you’re drawing parallels to the company’s long-term success and the tools that are necessary to support those goals. So there are various ways that I’ve done that, specifically in using compliance and risk metrics to illustrate how we’re managing various risk topics.

That typically is helpful in getting organizational buy-in. Setting that right tone and shaping the culture of the organization that’s critical to the organization’s success. So by tying all of these things together and actually showing, I think, some credible data, which you can do, right? Our organization averted this issue from becoming a problem when this other organization did not.

And here’s what it costs them. You can certainly make those parallels. And I think that typically resonates certainly with executives and board-level colleagues. But we share that type of data across the board with all of our employees just to show kind of the value of compliance in their day-to-day roles as well.

Julie DiMauro: Terrific. That sounds great. And earlier, you had mentioned training. I’m so glad that you brought it up. It’s such an important feature of any compliance and ethics program. And it gets mentioned, I feel like, more and more in enforcement actions, to be honest with you, that there was no training. The training was ineffective or it wasn’t updated. So how does training operate here to reinforce the messaging and incentive programs in terms of promotions and compensation?

Ann Chaglassian: I think training is really important to just instill a clear understanding of ethical principles. So it plays a crucial role in reinforcing messaging for the necessity of an ethical culture. It provides employees with the clear understanding of the company’s values, the ethical standards, and certainly expected behaviors.

And I think we were talking about that a little earlier. You know, do people understand what’s expected of them? Because I think what might seem apparent to some is not apparent to all. And human behavior never ceases to amaze me. You know, when people are faced with two options, sometimes there’s, to me, is a clear, correct option, and they’ll pick the other option. And that’s where we run into problems.

So we really want to teach employees to apply those principles in their daily work through various training methods, right? You can have interactive sessions, case studies, real-world scenarios, things that resonate with people so they understand how to apply those principles in the daily kind of work that they’re doing, because people are in all kinds of different roles. So one type of training may not necessarily be right for everybody.

You really want to kind of tailor that to job-specific training. We also really believe in ongoing training to reinforce the importance of ethical decision-making. So we want to foster a culture where employees feel accountable and empowered to make ethical decisions. So there’s regular communication, updates on ethical guidelines, and how we’re really embedding these values into our organizational fabric.

So it doesn’t seem like this is one-off messaging. It’s really part of who we are and part of our culture. And it really overall serves to encourage a sense of responsibility in the actions that employees are taking every day as part of their work with the organization.

Julie DiMauro: Thank you. Very helpful. And how do you advocate, though, for the right resources in order to be successful in this area? You are going to need some people power. You’re going to need maybe some technology, maybe some external help. So how do you advocate for the resources? And then we’ll get to the external help about how you select the right person.

Ann Chaglassian: Sure. And I think I mentioned this a little earlier, but I think tying this, the importance of compliance to the organization’s success is really critical when you’re advocating for resourcing. So there are various examples where a compliance officer might want to use external help. So some typical areas include where there are investigations or allegations of misconduct. Y

ou might want to bring in an external expert to ensure impartiality and transparency, and make sure that there’s kind of a neutral observer who’s able to assess the situation and report back, and demonstrate that commitment to doing thorough due diligence. In other areas where there’s training and education, so you can hire external trainers who have specialized compliance training programs, making sure you’re staying ahead of developments and new compliance requirements.

And in industries that are rapidly evolving, I think that’s very helpful to have that type of external expertise where there’s crisis management. So if there’s a significant compliance crisis, a lot of organizations employ external crisis management experts to develop and execute a crisis response plan, because that’s their expertise, right? They do this every day. So their experience can really be crucial in making sure you’re managing appropriately reputational risks and other legal challenges.

And then the last area I would say is where you’re looking at continuous improvement initiatives. So making sure you can hire an external consultant to look at your compliance program and try to enhance it by offering fresh perspectives, looking at gap analysis. And just recommending improvements based on industry trends and evolving best practices.

So I think those are kind of the best ways to do that and to tell your advocacy to align with those types of business goals and data and actual examples that demonstrate the impact of effective compliance on mitigating ethical and legal issues.

Julie DiMauro: Absolutely. And I love the idea of the kind of independence and experience that they bring to bear and having worked with other industries and knowing what’s been effective in terms of strategies and less effective, which is helpful. I think the one challenge though might be that they don’t particularly know your business like you do. How do you get around that?

Ann Chaglassian: That’s a great point. I mean, look, you want to bring in somebody who has familiarity. So it might be kind of an expert that’s been used by similar organizations in similar industries. So keeping connection with compliance peers, getting recommendations. And then sometimes it’s just a matter of trying out external experts and saying, are they fitting in with our kind of organizational design?

Do they understand what we do and what we’re expecting of them? Some of it’s trial and error. Some of it’s based on recommendations and referrals. But you really, at the end of the day, want to emphasize the value of this resource allocation as an investment into the long-term stability and reputation of an organization. So that’s what we’re really targeting when we advocate for external resources.

Julie DiMauro: Makes sense. Perfect. Thank you. Now, I want to also think about conduct risk in the sense that you are monitoring employees. And that’s part of the process of managing conduct risk. How do you do that without being too intrusive and compromising privacy and eroding employee trust?

Ann Chaglassian: That’s another great area to discuss. Because this can certainly get tricky, particularly where there is heightened awareness in our current culture about privacy issues and the individual rights of employees. And I think some key points around that include transparent communication.

So making sure employees understand what the company has control over. Making sure you have privacy-conscious practices so that the monitoring activities of an organization are clearly defined and aligned with legal and ethical standards. And that there’s informed consent by employees. So typically, when an employee is onboarded onto an organization, it defines really kind of the control the company is going to have over things like email and other company media.

So rather than also focusing on individual actions, because I think sometimes people think their specific actions are constantly being monitored, we try to use anonymized or aggregated data to focus on patterns where there are specific complaints or where there’s some type of broader issue that may benefit from us looking at things from kind of a broader trend perspective.

But certainly where specific issues are brought up, there is sometimes more targeted individual oversight that’s necessary. And companies have the tools and resources to do that. I think one interesting kind of point that’s been made before is, don’t ever put anything in email that you wouldn’t want read aloud in court.

And I think people forget that because people get used to the fact that it’s their email and they can kind of say whatever they want in email. And I think sometimes people need to be more conscious of that and understand that that is a company tool and the company is monitoring it.

And it may at some point become more publicly available in a way that they would not want. It’s always just to be conscious of what they’re including in written communications, certainly, and in verbal communications as well.

Julie DiMauro: That’s amazing advice, actually. I think you can sometimes feel like you have more privacy than you do in the workplace. You forget that you’re using their properties. Ann, can you tell us some instances of poor workplace cultures from the news or anonymized businesses that have offered up some lessons?

Ann Chaglassian: Sure. I think typical instances of poor workplace cultures exhibit some common characteristics. So toxic behavior, low morale, ineffective communication, discrimination, and resistance to change. And over the past several years, I think there have been numerous instances of poor workplace cultures that have made their way into the news headline.

The most prominent being the Me Too movement, which was a social movement against sexual harassment and assault, primarily in the workplace. So as individuals started sharing their personal experience of harassment and misconduct directed toward them, there was an effort to raise awareness and advocate for cultural and overall systemic changes to prevent this type of behavior.

And one of the most interesting lessons to me from this movement was the sheer volume of people who came forward with their own experiences. And I think people generally seemed surprised at the volume of the stories and the horrific nature of some of these experiences. And the question came up about, why didn’t people share these stories before? Why was this suddenly coming out now?

And I think it’s important to understand fundamentally that people need to feel that they’re in a safe space when they’re sharing this type of information. And I think this movement really made people feel connected and that they felt like they could speak up without retaliation or persecution and that they weren’t alone when they were speaking up.

And I think it’s an important lesson in just creating compliant and ethical cultures where people have to feel like there’s a support system that’s readily available to them so they can speak up when there’s misconduct. Because in so many of these stories, you hear something come up and it’s been going on for years and years and people wonder, why didn’t they speak up before?

And I think part of it is the culture. Do they feel like they have that protection? Is it a superior who’s kind of mismanaging them or treating them poorly but they feel like they don’t have that opportunity to speak with somebody? So I think those are really some critical points that came out of that movement that we should be conscious of and apply toward creating better workplace cultures.

Julie DiMauro: I’m glad you brought those up. They served as great examples of what to do and not to do based on incentives and disincentives you can create in the workplace for speaking up, for making sure that people feel heard and making sure that people feel like you’re going to act on their behalf. So yeah, thank you so much for bringing that up.

Businesses can sometimes get ahead of themselves and they try to check every box out there in terms of ethics or maybe even sustainability. How would you advise your CCO peers in terms of they’re not trying to be everything to everyone that you maybe need to just adhere to your list of priorities? What’s your best advice in that arena?

Ann Chaglassian: I think, look, I think perfection is impossible. So I think the most important thing is do what you say. So don’t make over-commitments, right? And commit to things that you know organizationally you can’t do. And that’s going to differ for every organization depending on the size, the industry, the type of organization.

The most important thing is to make sure that whatever commitments you’re making, you’re actually meeting. So I guess kind of the underlying message there is don’t over-commit because it’s worse to kind of say you’re doing something more broadly when it’s actually not happening in practice and to make those goals achievable and make those good faith efforts to do that. So that would be, I guess, my best advice.

Julie DiMauro: Thank you so much. Ann Chaglassian, Chief Compliance Officer at Marsh and Mercer, thank you so much for joining us today. I really appreciate it.

Ann Chaglassian: Great Julie, that was great.

Julie DiMauro: And thanks to all of our listeners, readers, and LinkedIn followers of GRIP. Have a wonderful day, everyone.

Listen to the audio.