2011 Report: Governance and Management
Solid management, performance and compliance for a sustainable enterprise
Overview
SAS maintains its commitment to corporate social responsibility. In 2011 the Executive Sustainability Council continued its role ensuring that sustainability goals and priorities permeate every aspect of the company's operations. The Corporate Social Responsibility (CSR) Task Force is an interdepartmental group that meets regularly to integrate these efforts across the business.
These teams continue to work closely with all aspects of the business, engaging with various departments and ensuring policies and initiatives regarding CSR are considered in all aspects of the business.
As part of its CSR commitment, SAS senior management is represented on the boards of leading conservation organizations, such as The Nature Conservancy, and provides influence on the global stage through organizations such as the World Economic Forum, World Resources Institute and the Environmental Defense Fund.
2011 Highlights
| Initiative | 2011 Goals | Performance Highlights | 2012 Goals |
|---|---|---|---|
| Compliance | Maintain “zero tolerance-zero fines” for noncompliance with environmental, anti-corruption, trade and privacy laws. | Achieved goal. | Maintain “zero tolerance-zero fines” for noncompliance with environmental, anti-corruption, trade and privacy laws. |
| Ethics and Compliance –Training | Increase compliance course training and completion rates. | Released a Social Media Responsibility course. Released an International Traffic in Arms Regulations course. Initiated translation of a global Privacy course. |
Release the global Privacy course in seven languages. |
| Anti-Corruption | “Zero tolerance-zero fines” for anti-corruption for US and international operations. | Accomplished goal of posting anti-corruption due diligence screening program and policy for Alliance Partner candidates. Expanded third-party due diligence efforts. Expanded US lobbying, gift and campaign law compliance measures by engaging a specialized firm that helps SAS manage these matters in the US. Began development of a specific SAS UK anti-corruption program and SAS Italy code of ethics program. Completed initial review of high-spend suppliers. |
Refining third-party due diligence program and expanding it for use with partners and subcontractors with due consideration of proportionality and risk for each market served by SAS and its subsidiaries.
Continue review of mid-tier and mid-low-tier suppliers, and new suppliers. |
| Fair Trade Laws, International Peace Accords, Anti-Aggression Laws and Sanctions, and Anti-Boycott Laws | Accomplished.
Revised initial processes to allow real-time (or near-real-time) updates to external Export Commodity Classification Number (ECCN). Completed improvements to the internal ECCN assignment and data storage application to streamline product classification process and improve timeliness and accuracy of classification posting and reporting. |
Processed and exported 17,680 software orders and received no government fines.
Successfully executed an anti-boycott law compliance program for all its offices in countries where there is a risk that customers may seek to involve SAS in boycotts prohibited by the US government. SAS properly reported all boycott requests received and declined to participate in any prohibited boycotts. |
Continue work on next phases involving creation of a system to enable near-real-time updates to external ECCN chart.
Continue to have no government fines. |
| Privacy Protection Laws | Advance awareness of SAS privacy and security practices (internal and external audiences). Develop new mechanisms to communicate these policies and practices. | Achieved goal through: Updated SAS OnDemand’s Business Customer Privacy Policy to align with new data retention policy. Completed first phase of providing privacy training and policy upgrade assessment for select offices. Conducted annual in-person privacy training of SAS OnDemand personnel. |
Assist offices in filing required documents and notifications as needed.
Conduct annual in-person privacy training of SAS OnDemand personnel. Translate global privacy course into seven languages and assign it to all employees worldwide if pertinent for their responsibilities. |
Stakeholder Engagement
SAS continues to engage with stakeholders both internally and externally, including:| Stakeholder Group | Types of Engagement | Examples from 2011 |
|---|---|---|
| Communities | Employee volunteers, grants, donations and training. | SAS employees volunteered 22,700 hours through the Employee Volunteer Fund (EVF), resulting in $90,500 paid to schools across North Carolina. |
| Employees | Intranet, webcasts, webzines and blogs. | 790 blogs; 1,304 intranet stories; 502,207 hits to the US SAS Family and three employee morale programs held. |
| Regulatory and government | Regular meetings and briefings, membership in trade associations and business organizations. | SAS joined the UN Global Compact. |
| Industry organizations | Interviews, meetings, briefing papers, white papers and articles. | |
| Business partners and suppliers | White papers and articles. | Meetings, webcasts and representation on boards. |
Governance Structure
SAS Institute Inc. is a North Carolina corporation that has been privately held since its inception in 1976.
SAS is headquartered in Cary, NC. The company operates through functional divisions that include Worldwide Marketing, Research & Development, Finance, Legal, and Corporate Services. SAS delivers software and related services to customers throughout the world. These sales operations are conducted primarily through SAS and its controlled sales subsidiaries, which operate in 57 countries. These entities are grouped into three regional sales divisions – the Americas; Europe, Middle East, and Africa (EMEA); and Asia Pacific.
The SAS Americas division includes 12 companies (SAS Institute Inc. and 11 operating subsidiaries), which provide software and services to customers in specific territories. The Europe, Middle East and Africa division and the Asia Pacific division together include approximately 48 operating subsidiaries. SAS also has a number of representative and branch offices in the above regions, with a total sales presence in more than 55 countries. SAS also has subsidiaries in the Asia Pacific region that are dedicated to conducting research and development activities for SAS and its affiliates.
DataFlux, IDeaS, Memex, VSTI, Assetlink, JMP and Teragram are separately branded but affiliated lines of business that are operated either through dedicated wholly owned subsidiaries of SAS or as integrated divisions of SAS.
Jim Goodnight, Chief Executive Officer, and John Sall, co-founder and Executive Vice President, are the company’s principal shareholders and constitute the board of directors serving as executive officers, overseeing corporate performance and investment decisions across environmental, social and economic interests.
Corporate social responsibility initiatives and priorities are set by the board, working with Senior Vice President and Chief Marketing Officer Jim Davis. The SAS Executive Sustainability Council, formed in 2008, continues to ensure that SAS’ global operations conduct business in a sustainable manner. This group includes representation from senior-level executives. Read more on SAS’ sustainability initiatives. Employee rights are managed through Human Resources; ethics and compliance are managed from Compliance in Legal (covering compliance with anti-corruption, privacy and anti-aggression laws); sustainability and environmental conservation are managed through Facilities.
Ethics and Compliance
SAS has a corporate culture based on trust between its employees and the company. SAS employs the highest ethical standards in its dealings with customers, suppliers, partners and competitors.
To help SAS maintain its high standards for respect, honesty, fairness and accountability, the company created the SAS Code of Business Ethics and related training courses. The Code of Business Ethics provides guidance to SAS employees and its subsidiaries on how to comply with all laws, rules and regulations of the countries in which SAS does business to ensure legal and ethical behavior.
SAS offers courses and training to help employees better abide by the SAS Code of Business Ethics, applicable external rules and regulations. SAS provides this training to help all employees make the right choices when ethical and regulatory challenges arise. SAS also provides certain ethics and regulatory compliance training to employees and certain contract workers to protect SAS’ business partners’ interests, as well as government and societal responsibilities. Training is provided worldwide online to all employees, and targeted training is also provided in person to particular groups on specific issues, such as gift laws relating to government officials or export laws on encryption software exports.
Training courses are provided on the SAS Code of Business Ethics, including:
- Information security.
- Export control awareness.
- Ethics in selling, buying and competing.
- Respect in the workplace.
- US Foreign Corrupt Practices Act.
- Defense export controls (International Traffic in Arms Regulations).
- Executive compliance training.
SAS has strict regulations on gifts, bribery and how to conduct business fairly and to avoid undue influence when dealing with third parties. In 2011, SAS expanded its domestic lobbying, gift and campaign law compliance measures by engaging a specialized firm to help manage these matters in the US.
SAS also operates an ethics hotline where employees are encouraged to report any violations of the Code of Business Ethics. SAS will not retaliate against anyone who makes a good faith report of ethical, regulatory or legal compliance issues.
In 2011 there were no violations in the areas of corruption, ethics, bribery, anticompetitive behavior, antitrust or monopoly practices; SAS was not fined for noncompliance with any laws or regulations.
SAS Conflicts of Interest Policy
"Employees, subcontractors, or agents will not knowingly make, receive, provide, or offer gifts for the purpose of influencing any act or decision with respect to any government contract, any other contract, or otherwise act in any manner inconsistent with Company policies. No employee shall offer any gift to any local, state, federal, or foreign government employee, official, or any foreign political party except as authorized by the employee's manager and the Company's Legal Department."
Because the term gift is defined so broadly and in varied forms under the laws of the several jurisdictions where SAS does business, and because gifts from vendors to customers, especially in transactions with governments, have in many jurisdictions been deemed illegal or unethical, SAS has implemented a broad provision against providing gifts to persons who might have influence over awarding a contract. The anti-bribery, lobbying, gift, and campaign financing laws that give rise to gift restrictions are further explained in SAS’ compliance group’s Web guidance materials and in targeted training for affected employees.
Privacy
Privacy is part of the mainstream business culture at SAS as companies respond to emerging state, federal and international privacy and data protection legislation; rapid changes in technology and security; and growing consumer and employee concern about the collection, storage, use and sharing of personal information. The Legal Department, along with other divisions, periodically reviews SAS’ and its various business units’ information collection practices to ensure that SAS’ Privacy Statement accurately reflects the practices and informs individuals who provide SAS with personal information. It also guides what SAS does with that information: how it is collected, used and shared; what choices exist with respect to personal information; and how to contact SAS with any questions or concerns they may have.
Our current Privacy Statement is global and applies not only to SAS Americas, but to its foreign subsidiaries and other business units who maintain a separate online website. Translated versions of the Privacy Statement with country-specific requirements are also made available.
In 2011 there were no material complaints regarding breaches of privacy or losses of customer data.
