Last year, Craig Moss, EVP – Ethisphere spoke with Lígia Gutierrez Setúbal, former Head of Privacy and Compliance for OutSystems and currently Associate General Counsel at Feedzai.

OutSystems is a global software company based in Lisbon, Portugal that specializes in helping enterprises build mobile and web apps, chatbots, and reactive web applications for any device.

As a KKR portfolio company, OutSystems participated in Ethisphere’s program to measure and improve their compliance program maturity. Craig led the work with KKR portfolio companies and worked closely with Lígia and her colleagues to define an improvement project and achieve the goal.

Through KKR’s membership in the Business Ethics Leadership Alliance (BELA), OutSystems made use of the Guide for Building and Sustaining an Effective Champion Program to create a best-in-class data protection program. The end result? Lígia’s team helped build awareness and commitment among OutSystems’s senior management and helped reduce risk across the enterprise.

Craig: Can you tell us a little bit more about OutSystems?

Lígia: OutSystems is a global software company. It provides a modern application platform for building software in a fast, right way and for the future. OutSystems empowers teams to develop innovative cloud applications for delivering new services, winning new customers and capturing new markets.

Craig: Your work with Ethisphere began with an anti-corruption program maturity assessment and then progressed to a rapid improvement workshop with your full executive team. Can you tell us a little bit about your experience with that process and some of the key things that you and your team learned from it?

Lígia: It was great to understand the company’s maturity level so we could easily identify gaps and areas of improvement. The exercises during Ethisphere’s workshop on how to assess and prevent compliance risk were spot on. We left with a very clear understanding on how to identify risks, assess the probability of negative impacts, and steps to manage those risks. It was also very interesting to learn how different cultures have different risk tolerances. In a multicultural company like OutSystems, that clarity is of essence to find the best balance and the most appropriate approach for the company.

Ethisphere provided the tools to identify inherent risks and rank them appropriately, which was essential. It was particularly useful to have a preemptive mindset, so if an incident happens, the company would be prepared to act with a clear action plan rather than have a reactive approach.

But the workshop also helped understanding what we would like to achieve considering the risks identified, and how to create a clear path with strong milestones.

Craig: You mentioned how risk tolerance varies from culture to culture, and the difficulty in getting people to change. Could you expand on that?

Lígia: In a multicultural environment, risk appetite varies a lot; in highly regulated areas, such as privacy, risk tolerance may shrink or not, depending on what you have been exposed to. I think the best way of approaching this is to be open and listen to different ideas and experiences. Being European, it was very important to get the inputs from Ethisphere and OutSystems´ North American General Counsel. Balancing and value all the experiences is the way of getting the best of different cultures and it was key for getting a first-class program as we have right now, that fit OutSystems’ best interests and needs.

Craig: When OutSystems and Ethisphere started working together, we started off thinking about how to strengthen your anti-corruption program. But then based on your needs and the risks that you faced, we transitioned over to data privacy. How do you feel the whole management system approach that we used in anti-corruption transferred over to data privacy?

Lígia: The management systems approach used in anti-corruption was very much helpful, regardless of the goal we determined in the beginning. We took the best out of the self-assessment and Ethisphere’s conclusion about the maturity of the compliance program, the workshop and several discussions we had along the way – Ethisphere did not only helped on the project itself but provided a true partnership and walked together with us throughout the project.

With your help and considering the needs of the company, we reassessed what should be prioritized taking into consideration the risks and needs of the business.

The result was a more relatable goal for the people that would be involved, which was crucial for the success of this project.

Craig: Coming out of the executive workshop, we worked with you to identify a specific measurable goal. And in your case, it was around building a champion program focused on data retention. How did achieving that goal help OutSystems?

Lígia: Our specific goal was to train a champion network within six months to implement a data retention program. For that, and as mentioned before, having a clear timeline with measurable milestones and tasks were utmost important for the project’s success and to pave the way for the future.

What happened after was the success story. The plan was put in motion, with the ambitious target of 100% completion of what we set out do, within the timeline established, and we were thrilled to have made it and with the success of the program! We built a fully engaged cross-functional team for data retention and more. Future compliance projects will benefit from a great and fully committed team, all working to excel and continuously improve OutSystems Compliance Program.

Training a champion network definitely helped creating more awareness around compliance topics. It was wonderful to see compliance on top of all champions lists, getting people inspired and empowered to cascade such important messages, with a sense of mission. OutSystems’ compliance program is growing fast, aligning with the company’s culture.

Craig: How many champions in total are part of it? How did they respond to the challenge?

Lígia: OutSystems has 10 to 12 champions. As mentioned, the team was tireless. They all understood the sense of urgency and the mission. Despite all the work they already had, they all indulged in the project completely, believing that giving their best would bring the best to OutSystems. That’s how good people are.

Craig: Could you tell us a little bit about how you used Ethisphere’s Guide to Building a Sustainable Champion Program, and how it fit into your own champion program?

Lígia: Ethisphere’s Guide for Building and Sustaining an Effective Champion Program was key for the success of the project. All companies that want to develop champion programs should closely read the Guide. It provides all relevant hints and tipsto develop a winning champion program. One thing that I thought was particularly important were the examples of other companies’ champion programs. Also, it provides training guidelines and materials you could easily pull from and adapt to your own company’s reality. Of course each company has its own culture, so tailor it for the company’s fit is most important. Another helpful tip of the Guide is on how to select criteria for a good champion and how to communicate your message correctly. You want people to feel part of the project and engaged with you as a project leader. You do not want to pass the message that people will have a second job (on top of what they already have).

Craig: How did you build the relationship between yourself, senior leadership, and your champions?

Lígia: First, I introduced the champions program to our Senior Management Team and they were immediately engaged. Each of them was enthusiastic in picking the right people in their teams to communicate compliance matters and tasks in the best way possible. We agreed that champions should knew the company’s culture, have a sense of leadership and most importantly, be people who bring people together. Champions were picked and all felt empowered with a project with high relevance for the company’s future.  With the CEO and SMT buy-in, all people involved were happy to be part of this new journey. We kicked-off the project and together we defined a work-plan within the timeline, milestones and tasks we collectively needed to achieve. It was a true group work. With everybody onboard and aligned, my work was easy.

About the Expert

Lígia Gutierrez Setúbal is the former Head of Privacy and Compliance for OutSystems and currently Associate General Counsel at Feedzai, where she plays a strategic role in building a best-in-class Compliance, Intellectual Property, and Privacy program. Previously, Lígia was the head of Compliance and Privacy globally at OutSystems, where she defined, implemented, and evaluated the company’s global Data Protection and Compliance strategies. Lígia holds a degree in Law and Information Society from the Universidade de Lisboa. She also holds an LLM. in IP and Competition Law from the Munich Intellectual Property Law Center. Lígia is based in Lisbon, Portugal.

About the Author

Craig Moss is the Executive Vice President of Measurement at Ethisphere.