Technical Knowledge

Question 1

Category 1:

Demonstrate your understanding of ethics, compliance, governance, risk and controls within a corporate setting.

You must have:

— A proven background in Governance, Risk, Ethics and/or Compliance either in industry or professional services

— Practical experience in designing and implementing governance, risk, ethics or compliance frameworks or processes (or a sound understanding of the area / willingness to learn)

Answer 1

1. What is GREC - summarisation of concepts
2. Why good GREC matters - an opportunity, not a mere obligation
3. Where I’ve done it: Compliance (Ofcom), Governance/Risk (Ofcom, Consulting), Ethics (CSR initiatives)

__________________________

What is GREC & Why GREC matters

In today’s business environment, organisations face abundant risks and regulatory compliance challenges. GREC is a set of critical interrelated concepts that businesses should address in an integrated and strategic manner in order to be sustainably successful.

While organisations drive towards their overarching objectives, an effective approach to GREC issues will enable them to navigate the complex landscape in which they operate. Deloitte’s Ethics & Regulatory Compliance service line provides services with strategic advice to address these multiple challenges in a holistic way.

Good GREC should be seen not just as an obligation, but as an opportunity!

Why I am an exceptional client-ready candidate with a mature understanding of GREC

I have developed a strong understanding of GREC concepts from my various regulatory strategy, consulting and legal roles in large cross-functional organisations. I have developed an adaptable strategic mindset well-suited to tackle the complexity of GREC challenges.

(1) Compliance - Regulatory Policy & Strategy at Ofcom, the UK Communications Regulator. Setting standards for international services to follow, aimed at making the lives of UK citizens safer online.
— Strategy & Policy - My XP enables me to understand and interpret trends in the rapidly changing landscape of digital regulation, which will be invaluable for advising clients on their compliance challenges. I am responsible for: leading priority projects for the OS regime; setting strategic objectives; conducting long-term planning; coordinating the activities of teams and ensuring their alignment to overarching strategic objectives;
Cross-Regulatory Collaboration - Working on cross-regulatory policy coherence and collaboration initiatives (e.g., DRCF - OS & DP, CP, Competition), which involves engaging services to improve their knowledge of interrelated regulatory concepts.

(2) Governance & Risk - Programme Operations experience of addressing complex organisational challenges using structured approaches including risk management frameworks
—Business Continuity Planning and Incident Management
—Handling illegal content and official sensitive risk intelligence
—Online Safety Programme Governance
— Capgemini Invent LECP Incident Management/Service Management
— Capgemini Invent DSA Impact Assessment Reporting

(3) Ethics - I am a champion for business ethics initiatives, helping achieve organisational strategic goals in priority areas such as inclusion and sustainability.
— Sustainability (Capgemini Invent CSR) —
— Social Inclusion: Capgemini Invent CSR Schools Outreach Programme
— Diversity and Inclusion: Ofcom D&I Strategy — As part of the organisation’s 5-year D&I strategy 2021-26, Ofcom aims to promote inclusion in the workplace, particularly for underrepresented groups. I contributed to building Ofcom’s inclusive culture by leading a variety of initiatives with organisation’s Faith Network, including: a Diwali Food Fundraiser, Islamophobia Awareness Event, Iftar Night, and Holocaust Memorial Day .

Question 2

Category 1:

Sound knowledge of the various topics that typically form part of an Ethics and Corporate Compliance programme e.g. Anti-Bribery & Corruption, Ethics Frameworks, Modern Slavery, Human Rights, Diversity & Inclusion

Working knowledge of a range of regulations relevant to our clients (e.g. Content Moderation, Competition, Anti-Bribery & Corruption, Anti-Money Laundering, Privacy, Modern Slavery, Human Rights, Diversity & Inclusion, Whistleblowing).

Answer 2

Rough structure:

1. Ethical compliance is increasingly important to organisations, and complex; beneficial for attracting/retaining investment, employees and customers
2. Ethical compliance obligations are derived from many sources of hard and soft law
3. How to achieve it? Basic framework: introduce policies, assess risks, implement measures to reduce and mitigate risks (processes, due diligence, cultural tx, board governance, colleague surveys, complaints/employee reporting), assure controls (3 lines of defence - day to day operations, GRC, third party audit), evaluate outcomes and report on impact
4. Where have I done it? eAPM tool, Faith Network, Schools Outreach Programme at Capgemini

A combination of hard and soft law

— CSDDD, CSRD, EU Taxonomy Regulation

— Companies Act 2006 – Chapter 4A of the Act requires companies to prepare an annual strategic report including information on the business’s impact on the environment as well as that of social, community and human rights matters (section 414C(7)).

— Equality Act 2010 (fulfils the right to non-discrimination) –Pay Gap reporting comparing outcomes for individuals from minority ethnic backgrounds // section 2 Gender Pay Gap Information Regulations 2017, employers with 250 or more employees must publish information detailing pay and gender statistics at their company. This information must be published annually and demonstrate whether there are differences in pay between employees of differing genders.

— Modern Day Slavery Act 2015 – Section 54 of the Modern Slavery Act 2015 obliges certain commercial entities to produce a statement each year detailing the steps they have taken to ensure their business and supply chains are free from slavery and human trafficking // common compliance activities include: educational programmes for employees; implementing reporting processes; supply chain due diligence; divesting from high-risk suppliers

—Bribery Act 2010 – companies may be liable for bribery offences committed by their workers and associated third parties unless they put adequate anti-bribery procedures in place. The Ministry of Justice’s guidance to the Act indicates that undertaking appropriate due diligence is one way companies can work to implement adequate anti-bribery procedures // strict liability for commercial organisations whose service providers (called ‘associated persons’) engage in bribery unless the organisation has adequate procedures in place to prevent it.

—Human Rights Act 1998 – Where businesses carry out public functions they may be required to comply with the Human Rights Act (provisions based on European Convention on Human Rights)

—Soft Law – United Nations Guiding Principles (UNGPs) on Business and Human Rights – UK Government has committed to implementing these. Under the second pillar, businesses must respect human rights.

How have I contributed to business ethics in my current role?

Ethics - I am a champion for business ethics initiatives, helping achieve organisational strategic goals in priority areas such as inclusion and sustainability.

Sustainability (Capgemini Invent CSR) — As part of ESG policy, CGI made a strategic commitment to tailoring its operations to support the UN Sustainable Development Goals, and more specifically to help clients to save 10m tons of CO2 eq by 2030. In furtherance of these objectives, I attended a Sustainability Leadership Development Course by University of Exeter. As a result, I worked with a UK Civil Service team to baseline the measurement of carbon emissions from their digital infrastructure. I worked with client-side contacts to gather information on the organisation’s digital assets (e.g., Cloud infrastructure, data centers, number of computer users, regularity of time spent doing work digitally), and analysed this information using CGI’s eAPM tool eAPM project. This enabled YOY assessment of the digital infrastructure assets and optimisation of the organisation’s tooling to help meet its objectives.

Social Inclusion: Capgemini Invent CSR Schools Outreach Programme –- as part of the organisation’s diversity & inclusion objectives, CGI aimed to promote digital inclusion. One of the activities sitting underneath this was ‘opening doors to careers in tech’. I attended schools in low-income areas and hosted roundtable discussions with high schoolers of different ages educating them on the benefits of careers in tech.

Diversity and Inclusion: Ofcom D&I Strategy — As part of the organisation’s 5-year D&I strategy 2021-26, Ofcom aims to promote inclusion in the workplace, particularly for underrepresented groups. I contributed to building Ofcom’s inclusive culture by leading a variety of initiatives with organisation’s Faith Network, including: a Diwali Food Fundraiser, Islamophobia Awareness Event, Iftar Night, and Holocaust Memorial Day.

Question 3

Category 1:

Knowledge of key flagship internet regulations including, but not limited to, EU (European Union) Digital Services Act, EU Digital Markets Act, EU AI Act and UK Online Safety Act

Answer 3

— AI regulation approaches - UK approach vs EU AI Act
— DMA vs DMCCA
— OSA vs DSA
—ICO policies

• AI Act Update: note the EU’s publication of a consultation on its AI Strategy (open 9th April, closing in June) to identify “additional measures to ensure the smooth and simple application of the AI Act”

Question 4

Category 1:

Helping organisations get “reg ready”, helping establish Ethics & Regulatory Compliance capabilities across a range of organisations. Identifying ethics and compliance risks and controls across a diverse client base. Designing and/or implementing frameworks, capabilities and processes within organisations to address current and emerging regulatory obligations

Answer 4

Apply a structured framework for promoting compliance:

1. Draft policies
   — Drafting policy at Ofcom (e.g., ICO documentation, P&IT documentation, incident management)
2. Assess risks
   — DSA RA example
   — Operational Risk Report
3. Implement controls
   — 1st line - Embed processes in day-to-day operations
   — 2nd line - Implement governance structures to manage risks
   — E.g., P&IT operating model tx to manage information risks; OS Inc Mgmt process to manage crisis risks; OS Programme Governance to manage strategic risks; LECP Service Mgmt Framework to manage operational risks
4. Assure controls
   — 3rd line - Independent audit and assurance
   — E.g., test exercises
5. Report on outcomes
6. Enhance processes using technology
   — Tech Delivery expertise
   — Managing teams of data engineers

Question 5

Category 1:

When have you dealt with governance issues before?

Answer 5

1. What is ‘governance’? —Implementing management structures, policies and processes to address risk
2. I’ve done it at Ofcom —OS Programme Governance
3. …And I’ve done it at Cap — LECP service management

OS Programme Governance

• Implemented a new framework, promoting transparency and accountability for delivery of outcomes
• Driving a culture change - more accountability
• Provided a forum for risk identification, analysis and reporting
• Ensured the right ‘Board representation’, creating opportunities for GDs and Ds to interact
• Managed attendances to ensure frank, straightforward discussion
• Implemented a performance evaluation framework (OKRs) to standardise measurement of outcomes
• Ensured strategic coordination of activities by coaching alignment of delivery planning to the organisation’s strategic priorities
• Implemented technological enhancements to reporting processes
• Dashboards enabled visibility of team delivery activities
• Identified and addressed strategic risks: RFI roles/responsibilities (GRM team), Data Strategy (OS product pipeline)
• Facilitated healthy discussion and debate on key strategic issues
• Delivered over 30 governance forums, making incremental improvements using a CI methodology

Question 6

Category 1:

When have you dealt with risk management issues before?

Answer 6

(1) Experienced at using structured problem solving projects to address risks. Examples of mitigating risks with new policies and processes:

• Riots - HPIM and BCP process controls
• LECP - HPIM and change management process controls
• DSA Risk Assessment Reporting
• Managing sensitive and illegal content at Ofcom
• DRCF coherence projects

Model:
Risk Analysis -> Risk Controls -> Risk Assurance/Reporting

(2) Overlayed with technical communication skills from law degree, legal xp and law enf background